offsec.nl - Healthcheck analysis

Date: 2023-04-04 - Engine version: 3.0.0.0

This report has been generated with the Basic Edition of PingCastle ?.
Being part of a commercial package is forbidden (selling the information contained in the report).
If you are an auditor, you MUST purchase an Auditor license to share the development effort.

This section focuses on the core security indicators.
Locate the sub-process determining the score and fix some rules in that area to get a score improvement.

Indicators

050100

Domain Risk Level: 100 / 100

It is the maximum score of the 4 indicators and one score cannot be higher than 100. The lower the better

050100

Stale Object : 41 /100

It is about operations related to user or computer objects

8 rules matched

050100

Trusts : 0 /100

It is about links between two Active Directories

0 rules matched

050100

Privileged Accounts : 100 /100

It is about administrators of the Active Directory

13 rules matched

050100

Anomalies : 72 /100

It is about specific security control points

15 rules matched

Stale ObjectsPrivileged accountsTrustsAnomalies
Inactive user or computer
Account take over
Old trust protocol
Audit
Network topography
ACL Check
SID Filtering
Backup
Object configuration
Admin control
SIDHistory
Certificate take over
Obsolete OS
Control paths
Trust impermeability
Golden ticket
Old authentication protocols
Delegation Check
Trust inactive
Local group vulnerability
Provisioning
Irreversible change
Trust with Azure
Network sniffing
Replication
Privilege control
Pass-the-credential
Vulnerability management
Read-Only Domain Controllers
Password retrieval
Reconnaissance
Temporary admins
Weak password
Legend:
  score is 0 - no risk identified but some improvements detected
  score between 1 and 10 - a few actions have been identified
  score between 10 and 30 - rules should be looked with attention
  score higher than 30 - major risks identified

This section represents the maturity score (inspired from ANSSI).

This feature is reserved for customers who have purchased a license

This section represents an evaluation of the techniques available in the MITRE ATT&CK®

This feature is reserved for customers who have purchased a license

050100

Stale Objects : 41 /100

It is about operations related to user or computer objects

+ 15 Point(s)

Ensure that the NTLMv1 and old LM protocols are banned

Rule ID:

S-OldNtlm

Description:

The purpose is to check if NTLMv1 or LM can be used by DC

Technical explanation:

NTLMv1 is an old protocol which is known to be vulnerable to cryptographic attacks.
It is typically used when an hacker sniff the network and tries to retrieve NTLM hashes which can then be used to impersonate users.

This attack can be combined with Coerced authentication attacks - an hacker forces the DC to connect to a controlled host.
In this case, NTLMv1 can be specified so the hacker can retrieve the NTLM hash of the DC, impersonates it and then take control of the domain.
This attack is still possible with NTLMv2 but this is more difficult.

Windows have default security settings regarding LM/NTLM. Windows XP: Send LM & NTLM responses, Windows 2003: Send NTLM response only, Vista/2008: Win7/2008 R2: Send NTLMv2 response only.

However Domain Controllers are relaxed settings to accept the connection of older operating systems.
That means that by default, NTLMv1 is accepted on domain controllers.
If no GPO defines the LAN Manager Authentication Level, the DC fallback to the non secure default.

Advised solution:

After an audit of NTLMv1 usage (see the links below), you need to raise the LAN Manager Authentication Level to "Send NTLMv2 response only. Refuse LM & NTLM".
This can be done by editing the policy "Network security: LAN Manager authentication level" which can be accessed in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options
The policy will be applied after a computer reboot.

As an alternative, the well known script Get-NtlmV1LogonEvents.ps1 can be used to search for NTLMv1 logon events.

Beware that you may break software which is not compatible with Ntlmv2 such as old Linux stack or old Windows before Windows Vista.
But please note that Ntlmv2 can be activited on all Windows starting Windows 95 and other operating systems.

Points:

15 points if present

Documentation:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/audit-domain-controller-ntlmv1
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain
https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level
https://learn.microsoft.com/en-us/troubleshoot/windows-client/windows-security/enable-ntlm-2-authentication
[MITRE]T1557.001 Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R37 [paragraph.3.6.2.1]

Details:

The detail can be found in Security settings

GPOValue
Windows default without an active GPO 3
+ 10 Point(s)

Check the process of registration of computers to the domain

Rule ID:

S-ADRegistration

Description:

The purpose is to ensure that basic users cannot register extra computers in the domain

Technical explanation:

By default, a basic user can register up to 10 computers within the domain. This default configuration represents a security issue as basic users shouldn't be able to create such accounts and this task should be handled by administrators.

Note: this program checks also the GPO for SeMachineAccountPrivilege assignment. This assignment can be used to restrict the impact of the key ms-DS-MachineAccountQuota.

Advised solution:

To solve the issue, limit the number of extra computers that can be registered by a basic user. It can be reduced by modifying the value of ms-DS-MachineAccountQuota to zero (0). Another solution can be to remove altogether the authenticated users group in the domain controllers policy. Do note that if you need to set delegation to an account so it can add computers to the domain, it can be done through 2 methods: Delegation in the OU or by assigning the SeMachineAccountPrivilege to a special group

Points:

10 points if present

Documentation:

https://docs.microsoft.com/troubleshoot/windows-server/identity/default-workstation-numbers-join-domain
http://prajwaldesai.com/allow-domain-user-to-add-computer-to-domain/
http://blog.backslasher.net/preventing-users-from-adding-computers-to-a-domain.html
[MITRE]Mitre Att&ck - Mitigation - User Account Management

+ 5 Point(s)

Check if all admin accounts require kerberos pre-authentication

Rule ID:

S-NoPreAuthAdmin

Description:

The purpose is to ensure that all admin accounts require kerberos pre-authentication

Technical explanation:

Without kerberos pre-authentication, an attacker can request kerberos data from the domain controller and use this data to brute-force the account password. You can search accounts using the ldap query (userAccountControl:1.2.840.113556.1.4.803:=4194304)

Advised solution:

Edit the property of the involved accounts and select the Account tab. Uncheck "Do not require Kerberos preauthentication". For computers which doesn't have the Account tab, you have to manually edit the attribute useraccountcontrol. Subtract from the attribute the value 4194304.

Points:

5 points per discovery

Documentation:

http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
[MITRE]T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting
[FR]ANSSI - Kerberos pre-authentication disabled for privileged accounts (vuln1_kerberos_properties_preauth_priv)1

Details:

The detail can be found in User information and Computer information

AccountCreatedLastLogon
PAULINE_BEACH 23/12/2022 11:51:38 Never
+ 5 Point(s)

Check if all accounts require kerberos pre-authentication

Rule ID:

S-NoPreAuth

Description:

The purpose is to ensure that all accounts require kerberos pre-authentication

Technical explanation:

Without kerberos pre-authentication, an attacker can request kerberos data from the domain controller and use this data to crack the account password. You can find which accounts don't require Kerberos pre-authentication with the PowerShell command: Get-ADObject -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=4194304)"

Advised solution:

Edit the property of the involved accounts and select the Account tab. Uncheck "Do not require Kerberos preauthentication". For computers which doesn't have the Account tab, you have to manually edit the attribute useraccountcontrol. Subtract from the attribute the value 4194304.

Points:

5 points if present

Documentation:

http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
[MITRE]T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting
[FR]ANSSI - Kerberos pre-authentication disabled (vuln2_kerberos_properties_preauth)2

Details:

The detail can be found in User information and Computer information

AccountCreatedLastLogon
SOCORRO_CLAY 23/12/2022 11:46:39 Never
LANDON_WATSON 23/12/2022 11:46:50 Never
JULIAN_MCCLAIN 23/12/2022 11:46:55 Never
4366621908SA 23/12/2022 11:46:58 Never
VIOLET_BARBER 23/12/2022 11:47:02 Never
MAC_BARRY 23/12/2022 11:47:08 Never
TREVOR_BAUER 23/12/2022 11:47:09 Never
MOSES_STRONG 23/12/2022 11:47:11 Never
JANNIE_WASHINGTON 23/12/2022 11:47:20 Never
2186787523SA 23/12/2022 11:47:37 Never
4739737917SA 23/12/2022 11:47:38 Never
CONSUELO_THOMAS 23/12/2022 11:47:50 Never
WILBERT_OSBORN 23/12/2022 11:48:00 Never
MERLE_BERGER 23/12/2022 11:48:00 Never
JAY_MALONE 23/12/2022 11:48:05 Never
2910960457SA 23/12/2022 11:48:15 Never
IVA_YORK 23/12/2022 11:48:19 Never
SONJA_HUTCHINSON 23/12/2022 11:48:19 Never
JANNA_WOOD 23/12/2022 11:48:24 Never
MATT_MONTGOMERY 23/12/2022 11:48:27 Never
SALLY_HEATH 23/12/2022 11:48:31 Never
SHEREE_CARNEY 23/12/2022 11:48:34 Never
DENNIS_HOWE 23/12/2022 11:48:35 Never
SUMMER_WALLS 23/12/2022 11:48:36 Never
SHAWNA_ELLIS 23/12/2022 11:48:38 Never
BECKY_TERRY 23/12/2022 11:48:42 Never
JERROLD_BOWERS 23/12/2022 11:48:51 Never
KATHY_BYERS 23/12/2022 11:48:57 Never
KURT_STANTON 23/12/2022 11:48:59 Never
JANELL_WILCOX 23/12/2022 11:49:05 Never
EFREN_ROSS 23/12/2022 11:49:12 Never
QUENTIN_COFFEY 23/12/2022 11:49:14 Never
SADIE_BARTLETT 23/12/2022 11:49:19 Never
BLAINE_WELCH 23/12/2022 11:49:20 Never
CARLY_BUTLER 23/12/2022 11:49:25 Never
LEIGH_CALHOUN 23/12/2022 11:49:26 Never
VONDA_SKINNER 23/12/2022 11:49:30 Never
ALFREDO_FLOWERS 23/12/2022 11:49:36 Never
FELIX_VINCENT 23/12/2022 11:49:39 Never
ELIZA_MONTGOMERY 23/12/2022 11:49:44 Never
WESTON_COLEMAN 23/12/2022 11:49:46 Never
JANA_STANTON 23/12/2022 11:49:53 Never
HUNTER_BRIGGS 23/12/2022 11:49:55 Never
CALEB_DYER 23/12/2022 11:50:01 Never
CHARLOTTE_DAVID 23/12/2022 11:50:02 Never
DOMINICK_VANG 23/12/2022 11:50:10 Never
PATRICK_ROBBINS 23/12/2022 11:50:20 Never
HERSHEL_PECK 23/12/2022 11:50:27 Never
LINA_HALL 23/12/2022 11:50:35 Never
MARTIN_MCINTOSH 23/12/2022 11:50:36 Never
GRANT_DENNIS 23/12/2022 11:50:38 Never
KELSEY_MULLEN 23/12/2022 11:50:39 Never
CRISTINA_HULL 23/12/2022 11:50:40 Never
FRANCIS_NOLAN 23/12/2022 11:50:44 Never
KERI_HENSLEY 23/12/2022 11:50:47 Never
VILMA_SIMON 23/12/2022 11:50:48 Never
KELVIN_MORSE 23/12/2022 11:50:54 Never
ALYSSA_YATES 23/12/2022 11:51:01 Never
VAN_LESTER 23/12/2022 11:51:08 Never
ROSALYN_BURNS 23/12/2022 11:51:12 Never
NAOMI_BENTLEY 23/12/2022 11:51:13 Never
JESSE_THORNTON 23/12/2022 11:51:16 Never
EMANUEL_ENGLAND 23/12/2022 11:51:27 Never
CHARLIE_HARDY 23/12/2022 11:51:30 Never
OTTO_OWEN 23/12/2022 11:51:37 Never
ANGEL_BROCK 23/12/2022 11:51:41 Never
MARIA_RICHMOND 23/12/2022 11:51:41 Never
LENA_MANNING 23/12/2022 11:51:42 Never
LILLIAN_CONLEY 23/12/2022 11:51:42 Never
COLEMAN_GRAY 23/12/2022 11:51:48 Never
DUSTY_BERNARD 23/12/2022 11:51:51 Never
ZACHARIAH_PETTY 23/12/2022 11:51:54 Never
GLENDA_ROSARIO 23/12/2022 11:51:57 Never
DEBBIE_BERNARD 23/12/2022 11:52:12 Never
REYNA_FLEMING 23/12/2022 11:52:17 Never
EVERETTE_THOMAS 23/12/2022 11:52:24 Never
TERRI_DONALDSON 23/12/2022 11:52:33 Never
KURT_HARRINGTON 23/12/2022 11:52:35 Never
SHELLEY_SANFORD 23/12/2022 11:52:38 Never
DOMINIQUE_CHASE 23/12/2022 11:52:40 Never
LILLIAN_LLOYD 23/12/2022 11:52:42 Never
LORETTA_NGUYEN 23/12/2022 11:52:44 Never
DONALD_FOX 23/12/2022 11:52:46 Never
PATRICA_CORTEZ 23/12/2022 11:52:55 Never
ROBBIE_SHAFFER 23/12/2022 11:53:05 Never
MARCY_MARSHALL 23/12/2022 11:53:10 Never
RACHEL_KNOWLES 23/12/2022 11:53:11 Never
MICHELLE_VALDEZ 23/12/2022 11:53:27 Never
PATTI_BYRD 23/12/2022 11:53:35 Never
GORDON_COLON 23/12/2022 11:53:36 Never
DANIELLE_HILL 23/12/2022 11:53:37 Never
CHASE_COTTON 23/12/2022 11:53:42 Never
FEDERICO_BENNETT 23/12/2022 11:53:46 Never
CARRIE_FIELDS 23/12/2022 11:53:49 Never
MELVIN_GREGORY 23/12/2022 11:53:56 Never
MARGRET_SHERMAN 23/12/2022 11:53:57 Never
ADOLPH_PITTMAN 23/12/2022 11:53:58 Never
LEONARD_TREVINO 23/12/2022 11:54:01 Never
WESLEY_CLARK 23/12/2022 11:54:11 Never
MADELEINE_BATES 23/12/2022 11:54:16 Never
JAN_DURAN 23/12/2022 11:54:18 Never
ERNIE_STEVENS 23/12/2022 11:54:34 Never
WALKER_BASS 23/12/2022 11:54:40 Never
GALE_MCMILLAN 23/12/2022 11:54:44 Never
JASMINE_MADDOX 23/12/2022 11:54:46 Never
JOSEPHINE_MANNING 23/12/2022 11:54:53 Never
DAMIEN_HOLMES 23/12/2022 11:54:54 Never
MELBA_MONTOYA 23/12/2022 11:54:57 Never
JARRED_DOWNS 23/12/2022 11:55:08 Never
GRANT_ANDREWS 23/12/2022 11:55:09 Never
ABRAHAM_MASSEY 23/12/2022 11:55:11 Never
FREDERIC_HAYDEN 23/12/2022 11:55:16 Never
COLEEN_BAKER 23/12/2022 11:55:21 Never
OSVALDO_LYNN 23/12/2022 11:55:29 Never
SUE_WHEELER 23/12/2022 11:55:32 Never
LESSIE_COOPER 23/12/2022 11:55:34 Never
CARSON_GUY 23/12/2022 11:55:40 Never
SCOT_HODGES 23/12/2022 11:55:42 Never
GOLDIE_RHODES 23/12/2022 11:55:49 Never
SHELIA_LARSEN 23/12/2022 11:55:50 Never
LUCILE_OLSEN 23/12/2022 11:55:53 Never
DENNIS_CROSS 23/12/2022 11:55:59 Never
STACY_MCKENZIE 23/12/2022 11:56:08 Never
DEBRA_WYNN 23/12/2022 11:56:13 Never
BLANCA_LANE 23/12/2022 11:56:17 Never
KATY_HALEY 23/12/2022 11:56:30 Never
BEVERLEY_CHANEY 23/12/2022 11:56:31 Never
MASON_WOLFE 23/12/2022 11:56:35 Never
SOPHIA_WHITE 23/12/2022 11:56:36 Never
MERCEDES_MARSH 23/12/2022 11:56:37 Never
TOBY_CURTIS 23/12/2022 11:56:38 Never
ALEXANDRA_MAYS 23/12/2022 11:56:48 Never
ROCHELLE_GREEN 23/12/2022 11:56:55 Never
TESSA_WILDER 23/12/2022 11:56:57 Never
HAZEL_GLENN 23/12/2022 11:57:07 Never
AMADO_CARR 23/12/2022 11:57:08 Never
JEFFERY_GILBERT 23/12/2022 11:57:11 Never
ANDY_LEON 23/12/2022 11:57:20 Never
ABIGAIL_REYNOLDS 23/12/2022 11:57:43 Never
CARROLL_SWEENEY 23/12/2022 11:57:54 Never
CHRISTIAN_ERICKSON 23/12/2022 11:58:14 Never
NORA_BULLOCK 23/12/2022 11:58:41 Never
JENIFER_HOPPER 23/12/2022 11:58:49 Never
BOBBI_RODGERS 23/12/2022 11:59:09 Never
HARLAN_GREER 23/12/2022 11:59:11 Never
TRUMAN_NUNEZ 23/12/2022 11:59:23 Never
ASHLEY_BLAIR 23/12/2022 11:59:26 Never
+ 5 Point(s)

Check for completeness of network declaration

Rule ID:

S-DC-SubnetMissing

Description:

The purpose is to ensure that the minimum set of subnet(s) has been configured in the domain

Technical explanation:

When multiple sites are created in a domain, networks should be declared in the domain in order to optimize processes such as DC attribution. In addition, PingCastle can collect the information to be able to build a network map. This rule has been triggered because at least one domain controller has an IP address which was not found in subnet declaration. These IP addresses have been collected by querying the DC FQDN IP address in both IPv6 and IPv4 format.

Advised solution:

Locate the IP address which was found as not being part of declared subnet then add this subnet to the "Active Directory Sites" tool. If you have found IPv6 addresses and it was not expected, you should disable the IPv6 protocol on the network card.

Points:

5 points if present

Documentation:

[MITRE]Mitre Att&ck - Mitigation - Active Directory Configuration

Details:

The detail can be found in Domain controllers

Domain controllerip
DC02 10.10.20.52
DC03 10.10.20.53
+ 1 Point(s)

Check that there is no account with never-expiring passwords

Rule ID:

S-PwdNeverExpires

Description:

The purpose is to ensure that every account has a password which is compliant with password expiration policies

Technical explanation:

Some accounts have passwords which never expire. Should an attacker compromise one of these accounts, he would be able to maintain long-term access to the Active Directory domain.

We have noted that some Linux servers, domain joined, are configured with a password which never expires.
This is a misconfiguration because a password change can be configured. It was however not the default on some plateform.
See one of the link below for more information.

Advised solution:

In order to make Active Directory enforce periodic password change, accounts must not have the "Password never expires" flag set in the "Account" tab of the user properties. Their passwords should then be rolled immediately.
For services accounts, Windows provide the "managed service accounts" and "group managed service accounts" features to facilite the automatic change of passwords.
Please note that there is a document in the section below which references solutions for service accounts of well known products.
Also Linux servers should be configured with automatic machine account change.

Points:

1 points if present

Documentation:

https://adsecurity.org/?p=4115
https://access.redhat.com/discussions/1283873
[MITRE]Mitre Att&ck - Mitigation - Active Directory Configuration
[FR]ANSSI - Accounts with never-expiring passwords (vuln2_dont_expire)2

Details:

The detail can be found in User information

Informative rule

Ensure that DC supports kerberos armoring when functional level is at least Windows 2012

Rule ID:

S-KerberosArmoringDC

Description:

The purpose is to ensure that DC supports kerberos armoring when functional level is at least Windows 2012

Technical explanation:

Kerberos Armoring is an optimization of the kerberos protocol. It avoids the preauthentication steps thus prohibiting preauthentication attacks;
It is supported only starting Windows 2012 DC and Windows 8 workstations.
If kerberos armoring is requested for other operating systems (such as Windows 7 or Linux), the kerberos authentication protocol may refuse to work.

Advised solution:

To enable kerberos armoring for domain controllers, edit the GPO and go to Computer Configuration > Administrative Templates > System > KDC
then enable the policy "KDC support for claims, compound authentication and Kerberos armoring".
The policy should be set to at least "Supported".

The safest settings is "Fail authentication requests when Kerberos armoring is not available" but it should be enabled only if the clients support kerberos armoring.

Points:

Informative rule (0 point)

Documentation:

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831747(v=ws.11)
https://pupuweb.com/solved-how-enable-kerberos-armoring-eap-fast-ad/
[MITRE]T1558 Steal or Forge Kerberos Tickets

Details:

If activated, the detail can be found in Security settings

Informative rule

Ensure that clients supports kerberos armoring when functional level is at least Windows 2012

Rule ID:

S-KerberosArmoring

Description:

The purpose is to ensure that clients supports kerberos armoring when functional level is at least Windows 2012

Technical explanation:

Kerberos Armoring is an optimization of the kerberos protocol. It avoids the preauthentication steps thus prohibiting preauthentication attacks;
It is supported only starting Windows 2012 DC and Windows 8 workstations.
If kerberos armoring is requested for other operating systems (such as Windows 7 or Linux), the kerberos authentication protocol may refuse to work.

Advised solution:

To enable kerberos armoring for client, edit the GPO and go to Computer Configuration > Administrative Templates > System > Kerberos
then enable the policy "Kerberos client support for claims, compound authentication and Kerberos armoring".

Points:

Informative rule (0 point)

Documentation:

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831747(v=ws.11)
https://pupuweb.com/solved-how-enable-kerberos-armoring-eap-fast-ad/
[MITRE]T1558 Steal or Forge Kerberos Tickets

Details:

If activated, the detail can be found in Security settings

050100

Privileged Accounts : 100 /100

It is about administrators of the Active Directory

+ 30 Point(s)

A Delegation is granted to Everyone

Rule ID:

P-DelegationEveryone

Description:

The purpose is to verify that there is no delegation granted to "Everyone" and to "Authenticated Users"

Technical explanation:

To delegate control to a OU, access checks can be modified. In case of a misconfiguration, access can be granted to the group "Everyone" or "Authenticated Users".

Advised solution:

Review the delegation to remove this permission and if needed, set a more targeted group as recipient of the delegation.

Points:

15 points per discovery

Documentation:

[MITRE]Mitre Att&ck - Mitigation - Active Directory Configuration
[US]STIG V-2370 - The access control permissions for the directory service site group policy must be configured to use the required access permissions.
[MITRE]T1187 Forced Authentication
[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R18 [subsubsection.3.3.2]

Details:

The detail can be found in Delegations

DNdelegationright
OU=Groups,OU=GOO,OU=Tier 1,DC=offsec,DC=nl Domain Users GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=GOO,OU=Stage,DC=offsec,DC=nl Domain Users GenericAll, GenericWrite, WriteDacl, WriteOwner
+ 30 Point(s)

Check for inactive Administrator Accounts

Rule ID:

P-Inactive

Description:

The purpose is to ensure that the Administrator Accounts in the AD are all necessary and used

Technical explanation:

Accounts within the AD have attributes indicating the creation date of the account and the last login of this account. Accounts which haven't have a login since 6 months or created more than 6 months ago without any login are considered inactive. If an Administrator Account is set as inactive, the reason for having Administrator rights should be strongly justified.

Advised solution:

To correct the situation, you should make sure that all your Administrator Account(s) are "Active", meaning that you should remove Administrator rights if an account is set as not "Active"

Points:

30 points if the occurence is greater than or equals than 30
then 20 points if the occurence is greater than or equals than 15

Documentation:

[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R36 [subsection.3.6]

+ 25 Point(s)

Check if there is a control path involving everyone-like groups.

Rule ID:

P-ControlPathIndirectEveryone

Description:

The purpose is to ensure that there is no control path involving everyone.

Technical explanation:


If you have access to a key server and the helpdesk can reset your password, then the helpdesk has access to the key server.
This is the kind of logic used by hackers to take control of the domain using key infrastructure objects (domain root, ...) or groups (domain administrators, ...).
Permissions are collected and analyzed to produce a control paths analysis.
Only write permissions (and specific ones) are used for this analysis.
Then the program identifies which users or computers, that are not members of known groups, can take control of this object.
To be fast, some tradeoffs have been selected. For example, logged on users on servers are ignored.
The program may also select paths which are not exploitable and ignore paths if it cannot read every permissions.
[Everyone] includes the anonymous, everyone, authenticated users, domain users, domain computers and builtin-users groups.

Advised solution:

You should analyze the chart and determine which underlying object is involved and grants write permissions to everyone.
Then edit the permissions and locate the write permission involved.
Then delete it or replace it according to your delegation model.

Points:

25 points if present

Documentation:

https://github.com/BloodHoundAD/BloodHound
https://github.com/ANSSI-FR/AD-control-paths
[MITRE]T1069.002 Permission Groups Discovery: Domain Groups

Details:

The detail can be found in Control Paths Analysis

Group
Account Operators
Administrators
Backup Operators
Certificate Operators
Certificate Publishers
Dns Admins
Domain Administrators
Domain Controllers
Domain Root
Group Policy Creator Owners
Key Administrators
Print Operators
Read Only Domain Controllers
Replicator
Server Operators
+ 25 Point(s)

Check if there is a control path involving too much users or computers.

Rule ID:

P-ControlPathIndirectMany

Description:

The purpose is to check if users can abuse their write access to obtain additional privileges.

Technical explanation:


If you have access to a key server and the helpdesk can reset your password, then the helpdesk has access to the key server.
This is the kind of logic used by hackers to take control of the domain using key infrastructure objects (domain root, ...) or groups (domain administrators, ...).
Permissions are collected and analyzed to produce a control paths analysis.
Only write permissions (and specific ones) are used for this analysis.
Then the program identifies which users or computers, that are not members of known groups, can take control of this object.
To be fast, some tradeoffs have been selected. For example, logged on users on servers are ignored.
The program may also select paths which are not exploitable and ignore paths if it cannot read every permissions.

Advised solution:

You should analyze the chart and determine which underlying object is involved and grants too much write permissions.
Then edit the permissions and locate the write permission involved.
Then delete it or replace it according to your delegation model.

Points:

25 points if the occurence is greater than or equals than 200
then 15 points if the occurence is greater than or equals than 100
then 10 points if the occurence is greater than or equals than 50
then 5 points if the occurence is greater than or equals than 20

Documentation:

https://github.com/BloodHoundAD/BloodHound
https://github.com/ANSSI-FR/AD-control-paths
[MITRE]T1069.002 Permission Groups Discovery: Domain Groups

Details:

The detail can be found in Control Paths Analysis

GroupNumber
Account Operators 722
Administrators 826
Backup Operators 749
Certificate Operators 867
Certificate Publishers 830
Dns Admins 712
Domain Administrators 741
Domain Controllers 733
Domain Root 771
Group Policy Creator Owners 902
Key Administrators 867
Print Operators 813
Read Only Domain Controllers 833
Replicator 853
Server Operators 800
+ 20 Point(s)

At least one Administrator Account can be delegated

Rule ID:

P-Delegated

Description:

The purpose is to ensure that all Administrator Accounts have the configuration flag "this account is sensitive and cannot be delegated" (and are not member of the built-in group "Protected Users" when your domain functional level is at least Windows Server 2012 R2).

Technical explanation:

Without the flag "This account is sensitive and cannot be delegated" any account can be impersonated by some service account. It is a best practice to enforce this flag on administrators accounts.

Advised solution:

To correct the situation, you should make sure that all your Administrator Accounts has the check-box "This account is sensitive and cannot be delegated" active or add your Administrator Accounts to the built-in group "Protected Users" if your domain functional level is at least Windows Server 2012 R2 (some functionalities may not work properly afterwards, you should check the official documentation).
If you want to enable the check-box "This account is sensitive and cannot be delegated" but this is not possible because the box is not present (typically for GMSA account), you can add the flag manually by adding the number 1048576 to the attribute useraccountcontrol of the account.
Please note that there is a section below in this report named "Admin Groups" which give more information.

Points:

20 points if present

Documentation:

[MITRE]Mitre Att&ck - Mitigation - Active Directory Configuration
[US]STIG V-36435 - Delegation of privileged accounts must be prohibited.

Details:

The detail can be found in Admin Groups

+ 20 Point(s)

Check for Native administrator usage

Rule ID:

P-AdminLogin

Description:

The purpose is to verify if the Native Administrator account is used.

Technical explanation:

The Native Administrator account is the main administrator account, and it is sharing its password with Directory Services Restore Mode password. Since it is the same password, it can be used to take control of the domain even if the account is disabled, notably through a DSync attack. The last login date is retrieved through the LastLogonTimestamp LDAP attribute retrieved from the Active Directory. There is an exception for 35 days to avoid this rule to be triggered at the domain creation.

Advised solution:

To mitigate the security risk, a good practice is to use the Native Administrator account only for emergency, while the daily work is performed through other accounts.
It is indeed strongly recommended to not use this account but to use nominative account for administrators and dedicated account for services.
Do note that the anomaly will be removed 35 days after the last native administrator login.

To track where the administrator account has been used for the last time, we recommend to extract the attribute LastLogon of the administrator account on ALL domain controllers.
It can be done with tools such as ADSIEdit or ADExplorer.
Then, for each domain controller, extract the events 4624 at the date matching the LastLogon date. You will identify the computer and the process at the origin of the logon event.

If the LastLogon attribute is older for ALL domain controllers than the LastLogonTimestamp, the LastLogonTimestamp attribute (that PingCastle relies on) may be updated by the kerberos S4u2Self mechanism.
This can be triggered in the Advanced Security Settings properties of any securable objects such as a file, then select the Effective Access tab and click on View effective access.
You have to use replication metadata info to find which DC updated this attribute and look for 4769 and 4624 events on this DC to know who have run this action.
Read the page referenced in the documentation section for more information.

Please note that PingCastle relies on the attribute LastLogonTimestamp to perform this check. The LastLogonTimestamp attribute is replicated but has a latency of a maximum of 14 days, while LastLogon is updated at each logon and is more accurate but not replicated.
The attribute ms-DS-Logon-Time-Sync-Interval can be used to lower or increase the replication delay.

Points:

20 points if the occurence is strictly lower than 35

Documentation:

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/how-lastlogontimestamp-is-updated-with-kerberos-s4u2self/ba-p/257135
[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management

+ 15 Point(s)

Check if Service Accounts (aka accounts with never expires password) are domain administrators

Rule ID:

P-ServiceDomainAdmin

Description:

The purpose is to check for accounts with non expiring passwords in the "Domain Administrator" group

Technical explanation:

PingCastle is checking accounts with never expires password that are mostly used as service accounts.
"Service Accounts" can imply a high security risk as their password are stored in clear text in the LSA database, which can then be easily exploited using Mimikatz or Cain&Abel for instance. In addition, their passwords don't change and can be used in kerberoast attacks.

Advised solution:

Accounts with never expires passwords are mostly service accounts.
To mitigate the security risk, it is strongly advised to lower the privileges of the "Service Accounts", meaning that they should be removed from the "Domain Administrator" group, while ensuring that the password of each and every "Service Account" is higher than 20 characters

Points:

15 points if the occurence is greater than or equals than 2

Documentation:

[US]STIG V-36432 - Membership to the Domain Admins group must be restricted to accounts used only to manage the Active Directory domain and domain controllers.
[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
[MITRE]T1003.004 OS Credential Dumping: LSA Secrets
[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R11 [subsection.2.5]
[FR]ANSSI - Privileged accounts with never-expiring passwords (vuln1_dont_expire_priv)1

Details:

The detail can be found in Admin Groups

+ 10 Point(s)

Avoid unexpected schema modifications which could result in domain rebuild

Rule ID:

P-SchemaAdmin

Description:

The purpose is to ensure that no account can make unexpected modifications to the schema

Technical explanation:

The group "Schema Admins" is used to give permissions to alter the schema. Once a modification is performed on the schema such as new objects, it cannot be undone. This can result in a rebuild of the domain. The best practice is to have this group empty and to add an administrator when a schema update is required then to remove this group membership.

Advised solution:

Remove the accounts or groups belonging to the "schema administrators" group.

Points:

10 points if present

Documentation:

[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R13 [subsection.3.2]
[US]STIG V-72835 - Membership to the Schema Admins group must be limited
[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management

Details:

The detail can be found in Admin Groups

+ 10 Point(s)

Ensure that the Recycle Bin feature is enabled

Rule ID:

P-RecycleBin

Description:

The purpose is to ensure that the Recycle Bin feature is enabled

Technical explanation:

The Recycle Bin avoids immediate deletion of objects (which can still be partially recovered by its tombstone). This lowers the administration work needed to restore. It also extends the period where traces are available when an investigation is needed.

Advised solution:

First, be sure that the forest level is at least Windows 2008 R2.
You can check it with Get-ADForest or in the Domain Information section.
Then you can enable it using the PowerShell command:
Enable-ADOptionalFeature -Identity 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target 'test.mysmartlogon.com'

Points:

10 points if present

Documentation:

https://enterinit.com/powershell-enable-active-directory-recycle-bin
[MITRE]Mitre Att&ck - Mitigation - Audit

Details:

The detail can be found in Domain Information

+ 10 Point(s)

Check if all privileged accounts are in the special group Protected Users.

Rule ID:

P-ProtectedUsers

Description:

The purpose is to ensure that all privileged accounts are in the Protected User security group

Technical explanation:

The Protected User group is a special security group which automatically applies protections to minimize credential exposure. starting with Windows 8.1. Older Operating System must be updated to take this protection in account such as the Windows 7 KB2871997 patch.
For admins, it:
- Disables NTLM authentication
- Reduces Kerberos ticket lifetime
- Mandates strong encryption algorithms, such as AES
- Prevents password caching on workstations
- Prevents any type of Kerberos delegation

Please also note that a few links (see below) recommends that at least one account is kept outside of the group Protected Users in case there is a permission problem.
That's why this rule is not triggered if only one account is not protected.

Advised solution:

After having reviewed the potential impact on adding users to this group, add the missing privileged accounts to this group.

Points:

10 points if the occurence is greater than or equals than 2

Documentation:

https://docs.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group
https://blog.netwrix.com/2015/02/20/add-sensitive-user-accounts-to-active-directory-protected-users-group/
https://dirteam.com/sander/2014/11/25/ten-things-you-need-to-be-aware-of-before-using-the-protected-users-group/
https://blog.andreas-schreiner.de/2018/09/07/active-directory-sicherheit-teil-1-privilegierte-benutzer/
[MITRE]Mitre Att&ck - Mitigation - Privileged Process Integrity
[US]STIG V-78131 - Accounts with domain level administrative privileges must be members of the Protected Users group in domains with a domain functional level of Windows 2012 R2 or higher.
[FR]ANSSI - Privileged accounts outside of the Protected Users group (vuln3_protected_users)3
[FR]ANSSI CERTFR-2017-ALE-012

Details:

The detail can be found in Admin Groups

User
LUCY_BENTON
RICKY_MCDANIEL
Administrator
QUINN_NASH
ERNIE_GUTHRIE
DAMIAN_DUFFY
GARTH_HARRINGTON
ALI_SANCHEZ
crypt0rr-adm
MELISA_SHERMAN
MAYNARD_MIDDLETON
EULA_KELLY
5895368778SA
JAYSON_AGUIRRE
PAULINE_BEACH
JEFFERY_BAXTER
MARIANA_SCHWARTZ
JANELLE_KELLY
SCOTTIE_PETERSEN
GENA_GONZALES
FRANCISCO_NICHOLSON
ROSALYN_LANCASTER
ELSIE_BYRD
LELA_FISHER
+ 5 Point(s)

Check the Allowed RODC Password Replication Group group

Rule ID:

P-RODCAllowedGroup

Description:

The purpose is to ensure that the Allowed RODC Password Replication Group group is empty.

Technical explanation:

Accounts belonging to the Allowed RODC Password Replication Group group have their password hashes revealed on all RODCs.

Advised solution:

This group should be emptied, and dedicated groups should only be added to the Password Replication Policy of each relevant RODC.

Points:

5 points if present

Documentation:

[MITRE]Mitre Att&ck - Mitigation - Active Directory Configuration
[FR]ANSSI - Dangerous configuration of replication groups for read-only domain controllers (RODCs) (allow) (vuln3_rodc_allowed_group)3

Details:
Member
CN=CARMINE_LANE,OU=.SecFrame.com,DC=offsec,DC=nl
CN=LENA_STEIN,OU=HRE,OU=Stage,DC=offsec,DC=nl
CN=ASHLEY_PATRICK,OU=Devices,OU=FIN,OU=Tier 1,DC=offsec,DC=nl
Informative rule

Check that operators group are empty

Rule ID:

P-OperatorsEmpty

Description:

The purpose is to ensure that the operator groups, which can have indirect control to the domain, are empty

Technical explanation:

Operator groups (account operators, server operators, ...) can take indirect control of the domain. Indeed these groups have write access to critical resources of the domain.

Advised solution:

It is recommended to have these groups empty. Assign administrators into administrators group. Other accounts should have proper delegation rights in an OU or in the scope they are managing.

Points:

Informative rule (0 point)

Documentation:

[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
[FR]ANSSI - Recommandations de sécurité relatives à Active Directory - R27 [subsection.3.5]

Details:

The detail can be found in Admin Groups

GroupMembers
Account Operators 1
Server Operators 3
Informative rule

Check if the Dns Admins group is not empty

Rule ID:

P-DNSAdmin

Description:

The purpose is to ensure that the Dns Admin group is not used

Technical explanation:

Administrators of the DNS Service have the possibility to inject a DLL in this service.
However this service is hosted most of the time in the domain controller and is running as system.
That means that DNS Admins are potentially domain admins.

The security descriptor used to grant admin rights is located on the nTSecurityDescriptor attribute of the object CN=MicrosoftDNS,CN=System.
The "Write All Prop" access right induces the vulnerability.

In this case, the DnsAdmins group is not empty and grant to its user, the possibility to interact with the DNS Service.

Advised solution:

Rule update:
The Path Tuesday of October 2021 fixed this vulnerability and assigned it the identifier CVE-2021-40469.
If the patch has been applied, there is no additional mitigation to perform.

This rule is transformed into an informative rule in PingCastle 2.10.1 and will be removed in future versions of PingCastle.

You should remove the members of the DNS admin group and do a proper delegation to the specific DNS Zones.

First, grant only "Read Property", "List", "List object" and "Read permssions" to CN=MicrosoftDNS,CN=System to enable access to the RPC service.

Then on each zone (the object in the tree below with the class dnsZone), grant "Read Property", "List", "List object", "Read permissions", "Create Child", "Delete Child", "Delete", "Delete Tree".

Points:

Informative rule (0 point)

Documentation:

https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dnsp/007efcd2-2955-46dd-a59e-f83ae88f4678
[FR]ANSSI - DnsAdmins group members (vuln4_dnsadmins)4
[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management

Details:

The detail can be found in Admin Groups

050100

Trusts : 0 /100

It is about links between two Active Directories

No rule matched

050100

Anomalies : 72 /100

It is about specific security control points

+ 15 Point(s)

Check if the LAPS tool to handle the native local administrator password is installed

Rule ID:

A-LAPS-Not-Installed

Description:

The purpose is to make sure that there is a proper password policy in place for the native local administrator account.

Technical explanation:

LAPS (Local Administrator Password Solution) is the advised solution to handle passwords for the native local administrator account on all workstations, as it is a simple way to handle most of the subject.

Advised solution:

If you don't have any provisioning process or password solution to manage local administrators, you should install the LAPS solution. If you mitigate the risk differently, you should add this rule as an exception, as the risk is covered.

Points:

15 points if present

Documentation:

https://www.microsoft.com/en-us/download/details.aspx?id=46899
[MITRE]Mitre Att&ck - Mitigation - Privileged Account Management
[US]STIG V-36438 - Local administrator accounts on domain systems must not share the same password.
[FR]ANSSI CERTFR-2015-ACT-046
[MITRE]T1078.003 Valid Accounts: Local Accounts

Details:

The detail can be found in LAPS

+ 15 Point(s)

Check for the last backup date according to Microsoft standard

Rule ID:

A-BackupMetadata

Description:

The purpose is check if the backups are actually up to date in case they are needed. The alert can be triggered when a domain is backed up using non-recommended methods

Technical explanation:

A verification is done on the backups, ensuring that the backup is performed according to Microsoft standards. Indeed at each backup the DIT Database Partition Backup Signature is updated.  If for any reasons, backups are needed to perform a rollback (rebuild a domain) or to track past changes, the backups will actually be up to date. This check is equivalent to a REPADMIN /showbackup *.

Advised solution:

Plan AD backups based on Microsoft standards. These standards depend on the Operating System. For example with the wbadmin utility: wbadmin start systemstatebackup -backuptarget:d:

Points:

15 points if the occurence is greater than or equals than 7

Documentation:

https://technet.microsoft.com/en-us/library/jj130668(v=ws.10).aspx
[MITRE]Mitre Att&ck - Mitigation - Data Backup
[US]STIG V-25385 - Active Directory data must be backed up daily for systems with a Risk Management Framework categorization for Availability of moderate or high. Systems with a categorization of low must be backed up weekly.

Details:

The detail can be found in Backup

+ 10 Point(s)

Check for Short password length in password policy

Rule ID:

A-MinPwdLen

Description:

The purpose is to verify if the password policy of the domain enforces users to have at least 8 characters in their password

Technical explanation:

A check is performed to identify if the GPO regarding password policy allows less than 8 characters password. Short passwords represents a high risk because they can fairly easily be brute-forced. Most CERT and agencies advises for at least 8 characters (and often this number goes up to 12)

Advised solution:

To solve the issue, the best way is to either remove the GPO enabling short password, or to modify it in order to increase the password length to at least 8 characters

Points:

10 points if present

Documentation:

https://www.microsoft.com/en-us/research/publication/password-guidance/
[FR]ANSSI - Privileged group members with weak password policy (vuln2_privileged_members_password)2
[MITRE]T1201 Password Policy Discovery

Details:

The detail can be found in Password policies

GPO
Default Domain Policy
+ 10 Point(s)

Ensure that the printer spooler cannot be abused to get the DC Credentials

Rule ID:

A-DC-Spooler

Description:

The purpose is to ensure that credentials cannot be extracted from the DC via its printer spooler

Technical explanation:

When there's an account with unconstrained delegation configured (which is fairly common) and the Print Spooler service running on a computer, you can get that computers credentials sent to the system with unconstrained delegation as a user. With a domain controller, the TGT of the DC can be extracted allowing an attacker to reuse it with a DCSync attack and obtain all user hashes and impersonate them.

Advised solution:

The spooler service should be deactivated on domain controllers. Please note as a consequence that the Printer Pruning functionality (rarely used) will be unavailable.

Points:

10 points if present

Documentation:

https://adsecurity.org/?p=4056
https://www.slideshare.net/harmj0y/derbycon-the-unintended-risks-of-trusting-active-directory
[MITRE]T1187 Forced Authentication

Details:

The detail can be found in Domain controllers

Domain controller
DC02
+ 10 Point(s)

Check if there is the expected audit policy on domain controllers.

Rule ID:

A-AuditDC

Description:

The purpose is to ensure that the audit policy on domain controllers collect the right set of events.

Technical explanation:

To detect and mitigate an attack, the right set of events need to be collected.
The audit policy is a compromise between too much and too few events to collect.
To solve this problem, the suggested audit policy from adsecurity.org is checked against the audit policy in place.

Advised solution:

Identify the Audit settings to apply and fix them.
Be aware that there are two places for audit settings.
For "Simple" audit configuration:
in Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policies
For "Advanced" audit configuration:
in Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration
Also be sure that the audit GPO is applied to all domain controllers, as the underlying object may be in a OU where the GPO is not applied.

Points:

10 points if present

Documentation:

https://adsecurity.org/?p=3299
[MITRE]Mitre Att&ck - Mitigation - Audit

Details:

The detail can be found in Audit settings
The table below shows the settings that were not found as configured in GPO for a given domain controller.

TypeAuditProblemRationaleDomain controller
Advanced Policy Change / Authentication Policy Change No GPO check for audit success Collect events 4713, 4716, 4739, 4867, to track trust modifications DC02
Advanced Account Management / Computer Account Management No GPO check for audit success Collect events 4741, 4742 to track computer changes DC02
Advanced Detailed Tracking / DPAPI Activity No GPO check for audit success Collect event 4692 to track the export of DPAPI backup key DC02
Advanced Account Logon / Kerberos Authentication Service No GPO check for audit success Collect events 4768, 4771 for kerberos authentication DC02
Advanced Account Logon / Kerberos Service Ticket Operations No GPO check for audit success Collect events 4769 for kerberos authentication DC02
Advanced Logon/Logoff / Logoff No GPO check for audit success Collect events 4634 for account logoff DC02
Advanced Logon/Logoff / Logon No GPO check for audit success Collect events 4624, 4625, 4648 for account logon DC02
Advanced Detailed Tracking / Process Creation No GPO check for audit success Collect event 4688 to get the history of executed programs DC02
Advanced Account Management / Security Group Management No GPO check for audit success Collect events 4728, 4732, 4756 for group membership change DC02
Advanced System / Security System Extension No GPO check for audit success Collect events 4610, 4697 to track lsass security packages and services DC02
Advanced Privilege Use / Sensitive Privilege Use No GPO check for audit success Collect events 4672, 4673, 4674 for privileges tracking such as the debug one DC02
Advanced Logon/Logoff / Special Logon No GPO check for audit success Collect event 4964 for special group attributed at logon DC02
Advanced Account Management / User Account Management No GPO check for audit success Collect events 4720,22,23,38,65,66,80,94 for user account mamangement DC02
Advanced Policy Change / Authentication Policy Change No GPO check for audit success Collect events 4713, 4716, 4739, 4867, to track trust modifications DC03
Advanced Account Management / Computer Account Management No GPO check for audit success Collect events 4741, 4742 to track computer changes DC03
Advanced Detailed Tracking / DPAPI Activity No GPO check for audit success Collect event 4692 to track the export of DPAPI backup key DC03
Advanced Account Logon / Kerberos Authentication Service No GPO check for audit success Collect events 4768, 4771 for kerberos authentication DC03
Advanced Account Logon / Kerberos Service Ticket Operations No GPO check for audit success Collect events 4769 for kerberos authentication DC03
Advanced Logon/Logoff / Logoff No GPO check for audit success Collect events 4634 for account logoff DC03
Advanced Logon/Logoff / Logon No GPO check for audit success Collect events 4624, 4625, 4648 for account logon DC03
Advanced Detailed Tracking / Process Creation No GPO check for audit success Collect event 4688 to get the history of executed programs DC03
Advanced Account Management / Security Group Management No GPO check for audit success Collect events 4728, 4732, 4756 for group membership change DC03
Advanced System / Security System Extension No GPO check for audit success Collect events 4610, 4697 to track lsass security packages and services DC03
Advanced Privilege Use / Sensitive Privilege Use No GPO check for audit success Collect events 4672, 4673, 4674 for privileges tracking such as the debug one DC03
Advanced Logon/Logoff / Special Logon No GPO check for audit success Collect event 4964 for special group attributed at logon DC03
Advanced Account Management / User Account Management No GPO check for audit success Collect events 4720,22,23,38,65,66,80,94 for user account mamangement DC03
+ 5 Point(s)

Hardened Paths weakness

Rule ID:

A-HardenedPaths

Description:

The purpose is to ensure that there is no weakness related to hardened paths

Technical explanation:

Two vulnerabilities have been reported in 2015 (MS15-011 and MS15-014) which allows a domain takeover via GPO modifications done with a man-in-the-middle attack.
To mitigate these vulnerabilites, Microsoft has designed a workaround named "Hardened Paths". It forces connection settings to enforce Integrity, Mutual Authentication or Privacy.
By default if this policy is empty, if will enforce Integrity and Mutual Authentication on the SYSVOL or NETLOGON shares.
This rule checks if there have been any overwrite to disable this protection.

Advised solution:

You have to edit the Hardened Path section in the GPO.
This section is located in Computer Configuration/Policies/Administrative Templates/Network/Network Provider
Check each value reported here and make sure that entries containing SYSVOL or NETLOGON have RequireIntegrity and RequireMutualAuthentication set to 1.
In addition to that, check entries having the pattern \\DCName\* and apply the same solution.

Points:

5 points if present

Documentation:


https://labs.f-secure.com/archive/how-to-own-any-windows-network-with-group-policy-hijacking-attacks/
https://talubu.wordpress.com/2018/02/28/configuring-unc-hardened-access-through-group-policy/
https://adsecurity.org/?p=1405
https://support.microsoft.com/en-us/topic/ms15-011-vulnerability-in-group-policy-could-allow-remote-code-execution-february-10-2015-91b4bda2-945d-455b-ebbb-01d1ec191328
[US]STIG V-63577 - Hardened UNC Paths must be defined to require mutual authentication and integrity for at least the \\*\SYSVOL and \\*\NETLOGON shares.
[MITRE]T1557.001 Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

Details:

The detail can be found in the Hardened Paths configuration section.

GPOKeyRequireIntegrityRequireMutualAuthenticationRequirePrivacy
No GPO Found NETLOGON Not Set Not Set Not Set
No GPO Found SYSVOL Not Set Not Set Not Set
+ 5 Point(s)

Check if signing is really required for LDAP

Rule ID:

A-DCLdapSign

Description:

The purpose is to check if signing is really required for LDAP

Technical explanation:

If the the request for signature of each LDAP request is not enforced, a man in the middle can be performed on an LDAP connection.
For example to add a user to the admin group.

This test is made by ignoring the local computer security policies.
Signature enforcement is done by setting the flag ISC_REQ_INTEGRITY when initializig the Negotiate / NTLM / Kerberos authentication.
The opposite test is made with the flag ISC_REQ_NO_INTEGRITY set.

PingCastle is testing if this setting is in place by performing a LDAP authentication with and without signature enforcement.
False positives may exists if the PingCastle program is run on the server tested that's why if PingCastle is run on a DC, the DC will not be tested.

Advised solution:

You have to make sure that ALL LDAP clients are compatible with LDAP signature.
All supported Windows since Windows XP this into account and also most of the Unix clients.

You have to follow the Microsoft article quoted in reference to enable LDAP signing.
This includes auditing the clients which are not compatible and how to enforce this policy.

Points:

5 points if present

Documentation:

https://docs.microsoft.com/en-US/troubleshoot/windows-server/identity/enable-ldap-signing-in-windows-server
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ldap-channel-binding-and-ldap-signing-requirements-march-2020/ba-p/921536/page/4
https://github.com/zyn3rgy/LdapRelayScan
[MITRE]T1557 Man-in-the-Middle

Details:
Domain controller
DC02
+ 2 Point(s)

Check that the "Pre-Windows 2000 Compatible Access" group has not been modified from its default

Rule ID:

A-PreWin2000Other

Description:

The purpose is check that no additional account has been added to the "Pre-Windows 2000 Compatible Access" group

Technical explanation:

The pre-Windows 2000 compatible access group grants access to some RPC calls which should not be available to users or computers.

Advised solution:

Remove the members from the PreWin2000 group while making sure that the group "Authenticated Users" is present. Then reboot each DC.

Points:

2 points if present

Documentation:

https://msdn.microsoft.com/en-us/library/cc223672.aspx
[FR]ANSSI - Use of the "Pre-Windows 2000 Compatible Access" group (vuln3_compatible_2000_not_default)3
[MITRE]T1110.003 Brute Force: Password Spraying

Informative rule

Check if the mitigation for CVE-2021-42291 has been enabled

Rule ID:

A-DsHeuristicsLDAPSecurity

Description:

The purpose is to identify domains having mitigation for CVE-2021-42291 not set to enabled

Technical explanation:

The way an Active Directory behaves can be controlled via the attribute DsHeuristics of CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration.
A parameter stored in its attribute and whose value is LDAPAddAutZVerifications and LDAPOwnerModify can be set to modify the mitigatation of CVE-2021-42291.
The KB5008383 has introduced changes to default security descriptor of Computer containers to add audit and limit computer creation without being admin.
Indeed, it is recommended to not let anyone create computer accounts as they can be used to abuse kerberos or to perform relay attacks.

Mitigations in CVE-2021-42291 consist of 3 choices to be set on 2 settings.
They are named LDAPAddAutZVerifications and LDAPOwnerModify and are respectively the 28th and 29th character of this string.
For the expected values:
- With the value 0 (the default), it enables an additional audit mechanism
- With the value 1 (recommended), it enforces new security permissions, especially to require an action of the domain admin when unusual actions are performed
- With the value 2 (not recommended), it disables the audit mechanism that has been added by default and do not enable the new security permissions

Advised solution:

The easiest and fastest way to correct this issue is to replace the 28th and 29th character of the DsHeuristics attribute.
The value of LDAPAddAutZVerifications and LDAPOwnerModify should be set to 1.

Open the procedure embedded into the KB5008383 to apply this mitigation and change the DsHeuristics value.

Note: you have to pay attention that there is control characters at the 10th and 20th position to avoid undesired changes of the DsHeuristics attribute.
Typically if the DsHeuristics is empty, the expected new value is 00000000010000000002000000011

Points:

Informative rule (0 point)

Documentation:

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e5899be4-862e-496f-9a38-33950617d2c5
https://support.microsoft.com/en-au/topic/kb5008383-active-directory-permissions-updates-cve-2021-42291-536d5555-ffba-4248-a60e-d6cbc849cde1
[MITRE]T1187 Forced Authentication
[FR]ANSSI - Dangerous dsHeuristics settings (vuln3_dsheuristics_bad)3

Details:
SettingPositionValue
LDAPAddAuthZVerifications 28th Not Set
LDAPOwnerModify 29th Not Set
Informative rule

Check if LLMNR can be used to steal credentials

Rule ID:

A-NoGPOLLMNR

Description:

The purpose is to ensure that local name resolution protocol (LLMNR) cannot be used to collect credentials by performing a network attack

Technical explanation:

LLMNR is a protocol which translates names such as foo.bar.com into an ip address. LLMNR has been designed to translate name locally in case the default protocol DNS is not available.
Regarding Active Directory, DNS is mandatory which makes LLMNR useless.
LLMNR exploits typo mistakes or faster response time to redirect users to a specially designed share, server or website.
Being trusted, this service will trigger the single sign on procedure which can be abused to retrieve the user credentials.

LLMNR is enabled by default on all OS except starting from Windows 10 v1903 and Windows Server v1903 where it is disabled.

Advised solution:

Enable the GPO Turn off multicast name resolution and check that no GPO override this setting.
(if it is the case, the policy involved will be displayed below)

Points:

Informative rule (0 point)

Documentation:

https://youtu.be/Fg2gvk0qgjM
[MITRE]T1557.001 Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay

Details:

The detail can be found in Security settings

Informative rule

Check if PowerShell logging is enabled.

Rule ID:

A-AuditPowershell

Description:

The purpose is to ensure that PowerShell logging is enabled.

Technical explanation:

PowerShell is a powerful language, also used by hackers because of this quality. Hackers are able to run programs such as mimikatz in memory using obfuscated commands such as Invoke–Mimikatz.
Because there is no artefact on the disk, the incident response task is difficult for the forensic analysts.
For this reason, we recommend to enable PowerShell logging via a group policy, despite the fact that these security settings may be part of the workstation or server images.

Advised solution:

Go to Computer Configuration -> Administrative Templates -> Windows Components -> Windows PowerShell
And enable "Turn on Module logging" and "Turn on PowerShell Script Block logging"
We recommend to set "*" as the module list.

Points:

Informative rule (0 point)

Documentation:

https://adsecurity.org/?p=2604
https://docs.microsoft.com/en-us/powershell/scripting/wmf/whats-new/script-logging?view=powershell-6
[US]STIG V-68819 - PowerShell script block logging must be enabled
[MITRE]Mitre Att&ck - Mitigation - Audit

Details:

The detail can be found in Security settings

Informative rule

Check the Password Policy for Service Accounts (Information)

Rule ID:

A-NoServicePolicy

Description:

The purpose is to give information regarding a best practice for the Service Account password policy. Indeed, having a 20+ characters password for this account greatly helps reducing the risk behind Kerberoast attack (offline crack of the TGS tickets)
Note: PSO (Password Settings Objects) will be visible only if the user which collected the information has the permission to view it.

Technical explanation:

The rule is purely informative, as it gives insights regarding a best practice. It verifies if there is a GPO or PSO enforcing a 20+ characters password for the Service Account.

Advised solution:

The recommended way to handle service accounts is to use "Managed service accounts" introduced since Windows 2008 R2 (search for "msDS-ManagedServiceAccount").
To solve the anomaly, you should implement a PSO or GPO password guarantying a 20+ length password.

Points:

Informative rule (0 point)

Documentation:

https://www.microsoft.com/en-us/research/publication/password-guidance/
[MITRE]T1201 Password Policy Discovery

Details:

The detail can be found in Password Policies

Informative rule

Check if NetCease has been put in place to mitigate Bloodhound

Rule ID:

A-NoNetSessionHardening

Description:

The purpose is to ensure that mitigations are in place against the Bloodhound tool

Technical explanation:

By default, Windows computers allow any authenticated user to enumerate network sessions to it.
This means an attacker could enumerate network sessions to a file share hosting home directories or a Domain Controller to see who's connected to SYSVOL (to apply Group Policy) and determine which workstations each user and admin account is logged into.
Bloodhound uses this capability extensively to map out credentials in the network.

Disabling Net Session Enumeration removes the capability for any user to enumerate net session info (Recon).

Advised solution:

If this mitigation is not part of the computer image, apply the following recommandations:
Run the NetCease PowerShell script (referenced below) on a reference workstation.
Open the Group Policy Management Console. Right-click the Group Policy object (GPO) that should contain the new preference item, and then click Edit .
In the console tree under Computer Configuration, expand the Preferences folder, and then expand the Windows Settings folder.
Right-click the Registry node, point to New, and select Registry Wizard.
Select the reference workstation on which the desired registry settings exist, then click Next .
Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\
and select the check box for “SrvsvcSessionInfo” from which you want to create a Registry preference item. Select the check box for a key only if you want to create a Registry item for the key rather than for a value within the key.
Click Finish.
The settings that you selected appear as preference items in the Registry Wizard Values collection

Points:

Informative rule (0 point)

Documentation:

https://github.com/p0w3rsh3ll/NetCease
https://adsecurity.org/?p=3299
[MITRE]T1087.001 Account Discovery: Local Account

Details:

The detail can be found in Security settings

Informative rule

Check that the "Pre-Windows 2000 Compatible Access" group does not contain "Authenticated Users"

Rule ID:

A-PreWin2000AuthenticatedUsers

Description:

The purpose is check if the "Pre-Windows 2000 Compatible Access" group contains authenticated users

Technical explanation:

The pre-Windows 2000 compatible access group grants access to some RPC calls.
Its default and secure value is the "Authenticated Users" group which allows users to perform group look up using legacy protocols.

If this group contains "Authenticated Users", it increases the impact on the exploitation vulnerability on legacy protocols such as the printer spooler.
Indeed, in the #PrintNightmare attack, it enables a patch bypass on domain controllers because the property Elevated Token is on when establishing a session to the DC.
Removing the group can have side impacts and as a consequence, this is reported here as a special hardening measure.

Advised solution:

Remove "authenticated users" from the PreWin2000 group.

Points:

Informative rule (0 point)

Documentation:

https://msdn.microsoft.com/en-us/library/cc223672.aspx
https://www.gradenegger.eu/?p=1132
[MITRE]T1210 Exploitation of Remote Services

Informative rule

Check if Authenticated Users can create DNS records

Rule ID:

A-DnsZoneAUCreateChild

Description:

The purpose is to check if Authenticated Users has the right to create DNS records

Technical explanation:

When a computer is joined to a domain, a DNS record is created in the DnsZone to allow the computer to update its DNS settings.
By design, Microsoft choose to grant to the group Authenticated Users (aka every computers and users) the right to create DNS records.
Once created, only the owner keep the right to edit the new object.

The vulnerability is that specific DNS records can be created to perform man-in-the-middle attacks.
One example is to create a wildcard record (a record with the name "*"), a failover DNS record or anticipating the creation of a DNS record with the right permissions.

Advised solution:

As today this rule is considered as informative because the default configuration where Authenticated Users can create DNS records is considered safe.
The reason for this classification is that no exploitation of that vulnerability has been reported.

The proposed enhancement is to replace the identity who has been granted the right to create DNS Records (permission CreateChild) from Authenticated Users to Domain Computers.
To perform this change, you have to edit the permission of the DNSZone whose object is located in the container CN=MicrosoftDNS,DC=DomainDnsZones.

It should be noticed that if there is a privilege escalation on a computer, an attacker can impersonate the computer account and bypass this mitigation.

The best mitigation is to create the DNS records manually as part as the domain join process and to revoke the permission granted to Authenticated Users.

Points:

Informative rule (0 point)

Documentation:

https://www.ws-its.de/gegenmassnahme-zum-angriff-dns-wildcard/
https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/
[MITRE]T1557 Man-in-the-Middle

Details:
DNSZone
offsec.nl

This section shows the main technical characteristics of the domain.

DomainNetbios NameDomain Functional LevelForest Functional LevelCreation dateDC countSchema versionRecycle Bin enabled
offsec.nlOFFSECWindows Server 2016Windows Server 20162022-12-23 09:34:09Z2Windows Server 2019FALSE

Azure AD Configuration

No Azure AD configuration has been found in this domain

This section gives information about the user accounts stored in the Active Directory

Account analysis

Nb User AccountsNb Enabled ?Nb Disabled ?Nb Active ?Nb Inactive ?Nb Locked ?Nb pwd never Expire ?Nb SidHistory ?Nb Bad PrimaryGroup ?Nb Password not Req. ?Nb Des enabled. ?Nb unconstrained delegations ?Nb Reversible password ?
293624924442492004000000
[4]
NameCreationLast logonDistinguished name
Administrator2022-12-23 09:34:28Z2023-04-04 17:42:52ZCN=Administrator,CN=Users,DC=offsec,DC=nl
crypt0rr2022-12-23 13:08:34Z2023-04-04 17:53:11ZCN=crypt0rr,CN=Users,DC=offsec,DC=nl
crypt0rr-adm2023-01-03 11:41:44ZNeverCN=crypt0rr-adm,CN=Users,DC=offsec,DC=nl
stu2023-01-12 13:20:34Z2023-01-12 14:22:25ZCN=STU,OU=Stage,DC=offsec,DC=nl
[46]
NameCreationLast logonDistinguished name
2068937977SA2022-12-23 11:49:59ZNeverCN=2068937977SA,OU=ServiceAccounts,OU=BDE,OU=Tier 1,DC=offsec,DC=nl
4290354077SA2022-12-23 11:58:11ZNeverCN=4290354077SA,OU=Devices,OU=BDE,OU=Tier 2,DC=offsec,DC=nl
4872826279SA2022-12-23 11:49:09ZNeverCN=4872826279SA,OU=Test,OU=FIN,OU=Stage,DC=offsec,DC=nl
ALFONSO_BOLTON2022-12-23 11:47:53ZNeverCN=ALFONSO_BOLTON,OU=Groups,OU=TST,OU=Tier 1,DC=offsec,DC=nl
ANDERSON_MCCOY2022-12-23 11:50:49ZNeverCN=ANDERSON_MCCOY,OU=ServiceAccounts,OU=AZR,OU=Stage,DC=offsec,DC=nl
ANGELIA_VASQUEZ2022-12-23 11:58:08ZNeverCN=ANGELIA_VASQUEZ,OU=Test,OU=HRE,OU=Stage,DC=offsec,DC=nl
BECKY_TERRY2022-12-23 11:48:42ZNeverCN=BECKY_TERRY,OU=Groups,OU=OGC,OU=Tier 1,DC=offsec,DC=nl
BEN_HYDE2022-12-23 11:54:36ZNeverCN=BEN_HYDE,OU=ServiceAccounts,OU=FIN,OU=Tier 1,DC=offsec,DC=nl
BERNARD_BARBER2022-12-23 11:56:11ZNeverCN=BERNARD_BARBER,OU=Deprovisioned,OU=People,DC=offsec,DC=nl
BERRY_TRAVIS2022-12-23 11:59:13ZNeverCN=BERRY_TRAVIS,OU=ServiceAccounts,OU=ITS,OU=Stage,DC=offsec,DC=nl
BLAKE_KERR2022-12-23 11:47:56ZNeverCN=BLAKE_KERR,OU=Groups,OU=AZR,OU=Tier 2,DC=offsec,DC=nl
CAROL_LESTER2022-12-23 11:50:47ZNeverCN=CAROL_LESTER,OU=OGC,OU=Stage,DC=offsec,DC=nl
DARIN_RUSH2022-12-23 11:51:31ZNeverCN=DARIN_RUSH,OU=ServiceAccounts,OU=HRE,OU=Tier 1,DC=offsec,DC=nl
DAVID_FOWLER2022-12-23 11:54:38ZNeverCN=DAVID_FOWLER,OU=Test,OU=GOO,OU=Stage,DC=offsec,DC=nl
DEREK_KELLER2022-12-23 11:51:53ZNeverCN=DEREK_KELLER,OU=ESM,OU=Stage,DC=offsec,DC=nl
DINA_ACEVEDO2022-12-23 11:52:42ZNeverCN=DINA_ACEVEDO,OU=ServiceAccounts,OU=AZR,OU=Tier 2,DC=offsec,DC=nl
DOMINGO_HESTER2022-12-23 11:53:47ZNeverCN=DOMINGO_HESTER,OU=OGC,OU=Tier 1,DC=offsec,DC=nl
ERIC_LITTLE2022-12-23 11:56:03ZNeverCN=ERIC_LITTLE,OU=Devices,OU=HRE,OU=Stage,DC=offsec,DC=nl
ESTHER_CHAN2022-12-23 11:56:26ZNeverCN=ESTHER_CHAN,OU=T0-Devices,OU=Tier 0,OU=Admin,DC=offsec,DC=nl
EVERETT_BECKER2022-12-23 11:51:22ZNeverCN=EVERETT_BECKER,OU=ServiceAccounts,OU=OGC,OU=Stage,DC=offsec,DC=nl
EVERETT_WATTS2022-12-23 11:47:25ZNeverCN=EVERETT_WATTS,OU=ServiceAccounts,OU=ITS,OU=Tier 2,DC=offsec,DC=nl
FAY_BLACK2022-12-23 11:54:05ZNeverCN=FAY_BLACK,OU=Test,OU=TST,OU=Tier 2,DC=offsec,DC=nl
GRACIELA_GREGORY2022-12-23 11:55:36ZNeverCN=GRACIELA_GREGORY,OU=Groups,OU=BDE,OU=Tier 2,DC=offsec,DC=nl
JAMIE_GALLAGHER2022-12-23 11:51:13ZNeverCN=JAMIE_GALLAGHER,OU=ServiceAccounts,OU=FIN,OU=Tier 1,DC=offsec,DC=nl
JASPER_SAWYER2022-12-23 11:50:56ZNeverCN=JASPER_SAWYER,OU=T2-Accounts,OU=Tier 2,OU=Admin,DC=offsec,DC=nl
JEFFREY_FERNANDEZ2022-12-23 11:56:33ZNeverCN=JEFFREY_FERNANDEZ,OU=Groups,OU=AZR,OU=Tier 1,DC=offsec,DC=nl
JODI_CHANEY2022-12-23 11:53:21ZNeverCN=JODI_CHANEY,OU=Groups,OU=AWS,OU=Tier 2,DC=offsec,DC=nl
JOE_MONROE2022-12-23 11:52:17ZNeverCN=JOE_MONROE,OU=ServiceAccounts,OU=TST,OU=Tier 1,DC=offsec,DC=nl
JULIO_RODRIQUEZ2022-12-23 11:53:59ZNeverCN=JULIO_RODRIQUEZ,OU=Test,OU=HRE,OU=Tier 2,DC=offsec,DC=nl
KEISHA_WATERS2022-12-23 11:47:52ZNeverCN=KEISHA_WATERS,OU=T0-Roles,OU=Tier 0,OU=Admin,DC=offsec,DC=nl
LARRY_STANTON2022-12-23 11:48:50ZNeverCN=LARRY_STANTON,OU=Test,OU=HRE,OU=Stage,DC=offsec,DC=nl
LUCILE_OLSEN2022-12-23 11:55:53ZNeverCN=LUCILE_OLSEN,OU=Groups,OU=ESM,OU=Stage,DC=offsec,DC=nl
LUCY_BENTON2022-12-23 11:54:22ZNeverCN=LUCY_BENTON,OU=Groups,OU=FIN,OU=Tier 1,DC=offsec,DC=nl
MAC_WHITNEY2022-12-23 11:57:19ZNeverCN=MAC_WHITNEY,OU=Groups,OU=OGC,OU=Tier 2,DC=offsec,DC=nl
MARYLOU_GRAY2022-12-23 11:49:58ZNeverCN=MARYLOU_GRAY,OU=ServiceAccounts,OU=OGC,OU=Stage,DC=offsec,DC=nl
MEGHAN_SWEENEY2022-12-23 11:52:55ZNeverCN=MEGHAN_SWEENEY,OU=AZR,OU=Tier 1,DC=offsec,DC=nl
NAOMI_BURNETT2022-12-23 11:49:03ZNeverCN=NAOMI_BURNETT,OU=T1-Servers,OU=Tier 1,OU=Admin,DC=offsec,DC=nl
ORVILLE_BRITT2022-12-23 11:58:22ZNeverCN=ORVILLE_BRITT,OU=T0-Roles,OU=Tier 0,OU=Admin,DC=offsec,DC=nl
QUENTIN_MARSHALL2022-12-23 11:50:33ZNeverCN=QUENTIN_MARSHALL,OU=ServiceAccounts,OU=SEC,OU=Tier 2,DC=offsec,DC=nl
ROBYN_PARKS2022-12-23 11:59:17ZNeverCN=ROBYN_PARKS,OU=Test,OU=BDE,OU=Tier 1,DC=offsec,DC=nl
ROCCO_THOMPSON2022-12-23 11:50:46ZNeverCN=ROCCO_THOMPSON,OU=Devices,OU=BDE,OU=Stage,DC=offsec,DC=nl
RONALD_ENGLAND2022-12-23 11:57:09ZNeverCN=RONALD_ENGLAND,OU=AWS,OU=Stage,DC=offsec,DC=nl
SAMMY_POWELL2022-12-23 11:53:08ZNeverCN=SAMMY_POWELL,OU=Devices,OU=FSR,OU=Tier 2,DC=offsec,DC=nl
SUNG_LAMBERT2022-12-23 11:47:25ZNeverCN=SUNG_LAMBERT,OU=TST,OU=People,DC=offsec,DC=nl
TRACI_ROLLINS2022-12-23 11:51:01ZNeverCN=TRACI_ROLLINS,OU=Grouper-Groups,DC=offsec,DC=nl
TRACY_MCCLURE2022-12-23 11:53:25ZNeverCN=TRACY_MCCLURE,OU=ServiceAccounts,OU=AZR,OU=Stage,DC=offsec,DC=nl
[148]
NameCreationLast logonDistinguished name
2186787523SA2022-12-23 11:47:37ZNeverCN=2186787523SA,OU=Test,OU=SEC,OU=Tier 1,DC=offsec,DC=nl
2910960457SA2022-12-23 11:48:15ZNeverCN=2910960457SA,OU=Groups,OU=AWS,OU=Stage,DC=offsec,DC=nl
4366621908SA2022-12-23 11:46:58ZNeverCN=4366621908SA,OU=Test,OU=SEC,OU=Tier 1,DC=offsec,DC=nl
4739737917SA2022-12-23 11:47:38ZNeverCN=4739737917SA,OU=T1-Servers,OU=Tier 1,OU=Admin,DC=offsec,DC=nl
ABIGAIL_REYNOLDS2022-12-23 11:57:43ZNeverCN=ABIGAIL_REYNOLDS,OU=ServiceAccounts,OU=ITS,OU=Tier 1,DC=offsec,DC=nl
ABRAHAM_MASSEY2022-12-23 11:55:11ZNeverCN=ABRAHAM_MASSEY,OU=FIN,OU=Tier 1,DC=offsec,DC=nl
ADOLPH_PITTMAN2022-12-23 11:53:58ZNeverCN=ADOLPH_PITTMAN,OU=ServiceAccounts,OU=SEC,OU=Tier 2,DC=offsec,DC=nl
ALEXANDRA_MAYS2022-12-23 11:56:48ZNeverCN=ALEXANDRA_MAYS,OU=Groups,OU=HRE,OU=Stage,DC=offsec,DC=nl
ALFREDO_FLOWERS2022-12-23 11:49:36ZNeverCN=ALFREDO_FLOWERS,OU=Groups,OU=HRE,OU=Tier 1,DC=offsec,DC=nl
ALYSSA_YATES2022-12-23 11:51:01ZNeverCN=ALYSSA_YATES,OU=Groups,OU=SEC,OU=Stage,DC=offsec,DC=nl
AMADO_CARR2022-12-23 11:57:08ZNeverCN=AMADO_CARR,OU=ServiceAccounts,OU=BDE,OU=Tier 1,DC=offsec,DC=nl
ANDY_LEON2022-12-23 11:57:20ZNeverCN=ANDY_LEON,OU=ServiceAccounts,OU=ESM,OU=Tier 1,DC=offsec,DC=nl
ANGEL_BROCK2022-12-23 11:51:41ZNeverCN=ANGEL_BROCK,OU=TST,OU=Stage,DC=offsec,DC=nl
ASHLEY_BLAIR2022-12-23 11:59:26ZNeverCN=ASHLEY_BLAIR,OU=Test,OU=OGC,OU=Tier 1,DC=offsec,DC=nl
BECKY_TERRY2022-12-23 11:48:42ZNeverCN=BECKY_TERRY,OU=Groups,OU=OGC,OU=Tier 1,DC=offsec,DC=nl
BEVERLEY_CHANEY2022-12-23 11:56:31ZNeverCN=BEVERLEY_CHANEY,OU=Devices,OU=SEC,OU=Tier 1,DC=offsec,DC=nl
BLAINE_WELCH2022-12-23 11:49:20ZNeverCN=BLAINE_WELCH,OU=ServiceAccounts,OU=FSR,OU=Tier 1,DC=offsec,DC=nl
BLANCA_LANE2022-12-23 11:56:17ZNeverCN=BLANCA_LANE,OU=Test,OU=ITS,OU=Tier 1,DC=offsec,DC=nl
BOBBI_RODGERS2022-12-23 11:59:09ZNeverCN=BOBBI_RODGERS,OU=HRE,OU=Stage,DC=offsec,DC=nl
CALEB_DYER2022-12-23 11:50:01ZNeverCN=CALEB_DYER,OU=TST,OU=Stage,DC=offsec,DC=nl
CARLY_BUTLER2022-12-23 11:49:25ZNeverCN=CARLY_BUTLER,OU=FIN,OU=People,DC=offsec,DC=nl
CARRIE_FIELDS2022-12-23 11:53:49ZNeverCN=CARRIE_FIELDS,OU=FIN,OU=Tier 2,DC=offsec,DC=nl
CARROLL_SWEENEY2022-12-23 11:57:54ZNeverCN=CARROLL_SWEENEY,OU=Devices,OU=SEC,OU=Stage,DC=offsec,DC=nl
CARSON_GUY2022-12-23 11:55:40ZNeverCN=CARSON_GUY,OU=T0-Roles,OU=Tier 0,OU=Admin,DC=offsec,DC=nl
CHARLIE_HARDY2022-12-23 11:51:30ZNeverCN=CHARLIE_HARDY,OU=AWS,OU=Tier 2,DC=offsec,DC=nl
CHARLOTTE_DAVID2022-12-23 11:50:02ZNeverCN=CHARLOTTE_DAVID,OU=Devices,OU=HRE,OU=Tier 2,DC=offsec,DC=nl
CHASE_COTTON2022-12-23 11:53:42ZNeverCN=CHASE_COTTON,OU=BDE,OU=Tier 1,DC=offsec,DC=nl
CHRISTIAN_ERICKSON2022-12-23 11:58:14ZNeverCN=CHRISTIAN_ERICKSON,OU=FSR,OU=People,DC=offsec,DC=nl
COLEEN_BAKER2022-12-23 11:55:21ZNeverCN=COLEEN_BAKER,OU=Devices,OU=OGC,OU=Tier 2,DC=offsec,DC=nl
COLEMAN_GRAY2022-12-23 11:51:48ZNeverCN=COLEMAN_GRAY,OU=ServiceAccounts,OU=HRE,OU=Stage,DC=offsec,DC=nl
CONSUELO_THOMAS2022-12-23 11:47:50ZNeverCN=CONSUELO_THOMAS,OU=BDE,OU=Tier 1,DC=offsec,DC=nl
CRISTINA_HULL2022-12-23 11:50:40ZNeverCN=CRISTINA_HULL,OU=Groups,OU=HRE,OU=Tier 2,DC=offsec,DC=nl
DAMIEN_HOLMES2022-12-23 11:54:54ZNeverCN=DAMIEN_HOLMES,OU=ServiceAccounts,OU=FSR,OU=Stage,DC=offsec,DC=nl
DANIELLE_HILL2022-12-23 11:53:37ZNeverCN=DANIELLE_HILL,OU=OGC,OU=People,DC=offsec,DC=nl
DEBBIE_BERNARD2022-12-23 11:52:12ZNeverCN=DEBBIE_BERNARD,OU=ServiceAccounts,OU=ESM,OU=Stage,DC=offsec,DC=nl
DEBRA_WYNN2022-12-23 11:56:13ZNeverCN=DEBRA_WYNN,OU=HRE,OU=Tier 2,DC=offsec,DC=nl
DENNIS_CROSS2022-12-23 11:55:59ZNeverCN=DENNIS_CROSS,OU=Groups,OU=AZR,OU=Tier 2,DC=offsec,DC=nl
DENNIS_HOWE2022-12-23 11:48:35ZNeverCN=DENNIS_HOWE,OU=Groups,OU=OGC,OU=Tier 1,DC=offsec,DC=nl
DOMINICK_VANG2022-12-23 11:50:10ZNeverCN=DOMINICK_VANG,OU=AWS,OU=Tier 1,DC=offsec,DC=nl
DOMINIQUE_CHASE2022-12-23 11:52:40ZNeverCN=DOMINIQUE_CHASE,OU=Test,OU=FIN,OU=Stage,DC=offsec,DC=nl
DONALD_FOX2022-12-23 11:52:46ZNeverCN=DONALD_FOX,OU=ServiceAccounts,OU=HRE,OU=Stage,DC=offsec,DC=nl
DUSTY_BERNARD2022-12-23 11:51:51ZNeverCN=DUSTY_BERNARD,OU=T2-Permissions,OU=Tier 2,OU=Admin,DC=offsec,DC=nl
EFREN_ROSS2022-12-23 11:49:12ZNeverCN=EFREN_ROSS,OU=FSR,OU=Stage,DC=offsec,DC=nl
ELIZA_MONTGOMERY2022-12-23 11:49:44ZNeverCN=ELIZA_MONTGOMERY,OU=Groups,OU=FSR,OU=Tier 2,DC=offsec,DC=nl
EMANUEL_ENGLAND2022-12-23 11:51:27ZNeverCN=EMANUEL_ENGLAND,OU=FIN,OU=People,DC=offsec,DC=nl
ERNIE_STEVENS2022-12-23 11:54:34ZNeverCN=ERNIE_STEVENS,OU=ServiceAccounts,OU=FSR,OU=Tier 1,DC=offsec,DC=nl
EVERETTE_THOMAS2022-12-23 11:52:24ZNeverCN=EVERETTE_THOMAS,OU=ServiceAccounts,OU=TST,OU=Tier 2,DC=offsec,DC=nl
FEDERICO_BENNETT2022-12-23 11:53:46ZNeverCN=FEDERICO_BENNETT,OU=Devices,OU=ITS,OU=Tier 1,DC=offsec,DC=nl
FELIX_VINCENT2022-12-23 11:49:39ZNeverCN=FELIX_VINCENT,OU=ServiceAccounts,OU=TST,OU=Stage,DC=offsec,DC=nl
FRANCIS_NOLAN2022-12-23 11:50:44ZNeverCN=FRANCIS_NOLAN,OU=Devices,OU=TST,OU=Tier 2,DC=offsec,DC=nl
FREDERIC_HAYDEN2022-12-23 11:55:16ZNeverCN=FREDERIC_HAYDEN,OU=Groups,OU=ITS,OU=Tier 2,DC=offsec,DC=nl
GALE_MCMILLAN2022-12-23 11:54:44ZNeverCN=GALE_MCMILLAN,OU=AWS,OU=Tier 2,DC=offsec,DC=nl
GLENDA_ROSARIO2022-12-23 11:51:57ZNeverCN=GLENDA_ROSARIO,OU=Groups,OU=ESM,OU=Tier 1,DC=offsec,DC=nl
GOLDIE_RHODES2022-12-23 11:55:49ZNeverCN=GOLDIE_RHODES,OU=Tier 2,OU=Admin,DC=offsec,DC=nl
GORDON_COLON2022-12-23 11:53:36ZNeverCN=GORDON_COLON,OU=T2-Accounts,OU=Tier 2,OU=Admin,DC=offsec,DC=nl
GRANT_ANDREWS2022-12-23 11:55:09ZNeverCN=GRANT_ANDREWS,OU=ServiceAccounts,OU=OGC,OU=Stage,DC=offsec,DC=nl
GRANT_DENNIS2022-12-23 11:50:38ZNeverCN=GRANT_DENNIS,OU=ServiceAccounts,OU=FSR,OU=Stage,DC=offsec,DC=nl
HARLAN_GREER2022-12-23 11:59:11ZNeverCN=HARLAN_GREER,OU=TST,OU=Tier 2,DC=offsec,DC=nl
HAZEL_GLENN2022-12-23 11:57:07ZNeverCN=HAZEL_GLENN,OU=AZR,OU=Tier 1,DC=offsec,DC=nl
HERSHEL_PECK2022-12-23 11:50:27ZNeverCN=HERSHEL_PECK,OU=Grouper-Groups,DC=offsec,DC=nl
HUNTER_BRIGGS2022-12-23 11:49:55ZNeverCN=HUNTER_BRIGGS,OU=ServiceAccounts,OU=TST,OU=Stage,DC=offsec,DC=nl
IVA_YORK2022-12-23 11:48:19ZNeverCN=IVA_YORK,OU=Tier 1,OU=Admin,DC=offsec,DC=nl
JAN_DURAN2022-12-23 11:54:18ZNeverCN=JAN_DURAN,OU=Devices,OU=AWS,OU=Tier 1,DC=offsec,DC=nl
JANA_STANTON2022-12-23 11:49:53ZNeverCN=JANA_STANTON,OU=ServiceAccounts,OU=FIN,OU=Tier 1,DC=offsec,DC=nl
JANELL_WILCOX2022-12-23 11:49:05ZNeverCN=JANELL_WILCOX,OU=Devices,OU=TST,OU=Stage,DC=offsec,DC=nl
JANNA_WOOD2022-12-23 11:48:24ZNeverCN=JANNA_WOOD,OU=Devices,OU=TST,OU=Tier 2,DC=offsec,DC=nl
JANNIE_WASHINGTON2022-12-23 11:47:20ZNeverCN=JANNIE_WASHINGTON,OU=Test,OU=OGC,OU=Tier 1,DC=offsec,DC=nl
JARRED_DOWNS2022-12-23 11:55:08ZNeverCN=JARRED_DOWNS,OU=Staging,OU=Admin,DC=offsec,DC=nl
JASMINE_MADDOX2022-12-23 11:54:46ZNeverCN=JASMINE_MADDOX,OU=ServiceAccounts,OU=AWS,OU=Tier 2,DC=offsec,DC=nl
JAY_MALONE2022-12-23 11:48:05ZNeverCN=JAY_MALONE,OU=T1-Servers,OU=Tier 1,OU=Admin,DC=offsec,DC=nl
JEFFERY_GILBERT2022-12-23 11:57:11ZNeverCN=JEFFERY_GILBERT,OU=HRE,OU=Tier 1,DC=offsec,DC=nl
JENIFER_HOPPER2022-12-23 11:58:49ZNeverCN=JENIFER_HOPPER,OU=ServiceAccounts,OU=ITS,OU=Tier 2,DC=offsec,DC=nl
JERROLD_BOWERS2022-12-23 11:48:51ZNeverCN=JERROLD_BOWERS,OU=ServiceAccounts,OU=GOO,OU=Stage,DC=offsec,DC=nl
JESSE_THORNTON2022-12-23 11:51:16ZNeverCN=JESSE_THORNTON,OU=Devices,OU=AWS,OU=Tier 1,DC=offsec,DC=nl
JOSEPHINE_MANNING2022-12-23 11:54:53ZNeverCN=JOSEPHINE_MANNING,OU=AZR,OU=Stage,DC=offsec,DC=nl
JULIAN_MCCLAIN2022-12-23 11:46:55ZNeverCN=JULIAN_MCCLAIN,OU=SEC,OU=Stage,DC=offsec,DC=nl
KATHY_BYERS2022-12-23 11:48:57ZNeverCN=KATHY_BYERS,OU=GOO,OU=Tier 1,DC=offsec,DC=nl
KATY_HALEY2022-12-23 11:56:30ZNeverCN=KATY_HALEY,OU=ServiceAccounts,OU=ITS,OU=Tier 2,DC=offsec,DC=nl
KELSEY_MULLEN2022-12-23 11:50:39ZNeverCN=KELSEY_MULLEN,OU=Devices,OU=BDE,OU=Stage,DC=offsec,DC=nl
KELVIN_MORSE2022-12-23 11:50:54ZNeverCN=KELVIN_MORSE,OU=TST,OU=People,DC=offsec,DC=nl
KERI_HENSLEY2022-12-23 11:50:47ZNeverCN=KERI_HENSLEY,OU=Deprovisioned,OU=People,DC=offsec,DC=nl
KURT_HARRINGTON2022-12-23 11:52:35ZNeverCN=KURT_HARRINGTON,OU=T0-Roles,OU=Tier 0,OU=Admin,DC=offsec,DC=nl
KURT_STANTON2022-12-23 11:48:59ZNeverCN=KURT_STANTON,OU=Devices,OU=BDE,OU=Tier 2,DC=offsec,DC=nl
LANDON_WATSON2022-12-23 11:46:50ZNeverCN=LANDON_WATSON,OU=ServiceAccounts,OU=AWS,OU=Stage,DC=offsec,DC=nl
LEIGH_CALHOUN2022-12-23 11:49:26ZNeverCN=LEIGH_CALHOUN,OU=ServiceAccounts,OU=AWS,OU=Tier 2,DC=offsec,DC=nl
LENA_MANNING2022-12-23 11:51:42ZNeverCN=LENA_MANNING,OU=ServiceAccounts,OU=TST,OU=Stage,DC=offsec,DC=nl
LEONARD_TREVINO2022-12-23 11:54:01ZNeverCN=LEONARD_TREVINO,OU=ServiceAccounts,OU=FSR,OU=Tier 2,DC=offsec,DC=nl
LESSIE_COOPER2022-12-23 11:55:34ZNeverCN=LESSIE_COOPER,OU=Devices,OU=BDE,OU=Stage,DC=offsec,DC=nl
LILLIAN_CONLEY2022-12-23 11:51:42ZNeverCN=LILLIAN_CONLEY,OU=AWS,OU=Stage,DC=offsec,DC=nl
LILLIAN_LLOYD2022-12-23 11:52:42ZNeverCN=LILLIAN_LLOYD,OU=ServiceAccounts,OU=AWS,OU=Stage,DC=offsec,DC=nl
LINA_HALL2022-12-23 11:50:35ZNeverCN=LINA_HALL,OU=Groups,OU=HRE,OU=Tier 2,DC=offsec,DC=nl
LORETTA_NGUYEN2022-12-23 11:52:44ZNeverCN=LORETTA_NGUYEN,OU=Unassociated,OU=People,DC=offsec,DC=nl
LUCILE_OLSEN2022-12-23 11:55:53ZNeverCN=LUCILE_OLSEN,OU=Groups,OU=ESM,OU=Stage,DC=offsec,DC=nl
MAC_BARRY2022-12-23 11:47:08ZNeverCN=MAC_BARRY,OU=Devices,OU=GOO,OU=Tier 2,DC=offsec,DC=nl
MADELEINE_BATES2022-12-23 11:54:16ZNeverCN=MADELEINE_BATES,OU=Devices,OU=AZR,OU=Tier 1,DC=offsec,DC=nl
MARCY_MARSHALL2022-12-23 11:53:10ZNeverCN=MARCY_MARSHALL,OU=Test,OU=OGC,OU=Tier 1,DC=offsec,DC=nl
MARGRET_SHERMAN2022-12-23 11:53:57ZNeverCN=MARGRET_SHERMAN,OU=ServiceAccounts,OU=OGC,OU=Stage,DC=offsec,DC=nl
MARIA_RICHMOND2022-12-23 11:51:41ZNeverCN=MARIA_RICHMOND,OU=Test,OU=TST,OU=Tier 1,DC=offsec,DC=nl
MARTIN_MCINTOSH2022-12-23 11:50:36ZNeverCN=MARTIN_MCINTOSH,OU=ServiceAccounts,OU=TST,OU=Tier 1,DC=offsec,DC=nl
MASON_WOLFE2022-12-23 11:56:35ZNeverCN=MASON_WOLFE,OU=Quarantine,DC=offsec,DC=nl
Output limited to 100 items - go to the advanced menu before running the report or add "--no-enum-limit" to remove that limit

Password Age Distribution

This feature is reserved for customers who have purchased a license

Account analysis

This section gives information about the computer accounts stored in the Active Directory

Nb Computer AccountsNb Enabled ?Nb Disabled ?Nb Active ?Nb Inactive ?Nb SidHistory ?Nb Bad PrimaryGroup ?Nb unconstrained delegations ?Nb Reversible password ?
106106010600020
[1]
NameCreationLast logonDistinguished name
CL03$2022-12-23 14:21:56Z2022-12-23 15:21:58ZCN=CL03,CN=Computers,DC=offsec,DC=nl
[5]
NameCreationLast logonDistinguished name
AZRWWKS1000000$2022-12-23 12:04:57ZNeverCN=AZRWWKS1000000,OU=FSR,OU=People,DC=offsec,DC=nl
BDEWCTRX1000001$2022-12-23 12:05:29ZNeverCN=BDEWCTRX1000001,OU=T1-Roles,OU=Tier 1,OU=Admin,DC=offsec,DC=nl
ESMWAPPS1000001$2022-12-23 12:07:21ZNeverCN=ESMWAPPS1000001,OU=AZR,OU=Tier 1,DC=offsec,DC=nl
ESMWDBAS1000000$2022-12-23 12:04:50ZNeverCN=ESMWDBAS1000000,OU=TST,OU=Tier 1,DC=offsec,DC=nl
TSTWLPT1000001$2022-12-23 12:05:32ZNeverCN=TSTWLPT1000001,OU=Devices,OU=FIN,OU=Tier 1,DC=offsec,DC=nl
[2]
NameCreationLast logonDistinguished name
DC02$2022-12-23 09:37:25Z2023-04-03 12:31:24ZCN=DC02,OU=Domain Controllers,DC=offsec,DC=nl
DC03$2022-12-23 14:16:21Z2023-04-03 12:31:25ZCN=DC03,OU=Domain Controllers,DC=offsec,DC=nl

Operating Systems

If you need to find the computers running a specific OS, we advise to use PingCastle.exe and the export / computers feature available from the main menu. Indeed the computer details are not included in the report for performance issues. Doing this will impact significantly the report size and the time to load the report.

Operating SystemNb OSNb Enabled ?Nb Disabled ?Nb Active ?Nb Inactive ?Nb SidHistory ?Nb Bad PrimaryGroup ?Nb unconstrained delegations ?Nb Reversible password ?
OperatingSystem not set999909900000
pc-linux-gnu110100000
Windows Server 2019 1809110100010
Windows 11 21H2220200000
Windows 10 22H2110100000
Windows Server 2016 1607110100000
Windows Server 2022110100010

Domain controllers

Here is a specific zoom related to the Active Directory servers: the domain controllers.

[2]
Domain controllerOperating SystemCreation Date ?Startup TimeUptimeOwner ?Null sessions ?SMB v1 ?Remote spooler ?FSMO role ?WebDAV ?
DC02Windows 20192022-12-23 09:37:25Z2023-04-04 17:39:22Z0 daysOFFSEC\Domain AdminsNONOYESPDC,
RID pool manager,
Infrastructure master,
Schema master,
Domain naming Master
NO
DC03Windows 20222022-12-23 14:16:21ZUnknownOFFSEC\Domain AdminsNONONONO

Groups

This section is focused on the groups which are critical for admin activities. If the report has been saved which the full details, each group can be zoomed with its members. If it is not the case, for privacy reasons, only general statistics are available.

Group NameNb Admins ?Nb Enabled ?Nb Disabled ?Nb Inactive ?Nb PWd never expire ?Nb Smart Card required ?Nb Service accounts ?Nb can be delegated ?Nb external users ?Nb protected users ?
Account Operators1101001100
Administrators10827200800
Backup Operators1101000100
Certificate Operators1101000100
Certificate Publishers2202000200
Dns Admins3303000300
Domain Administrators9726200700
Enterprise Administrators1100100100
Enterprise Key Administrators0000000000
Key Administrators4222000200
Print Operators2202000200
Replicator2202000200
Schema Administrators1100100100
Server Operators3212000200
[28]
SamAccountName ?Enabled ?Active ?Pwd never Expired ?Locked ?Smart Card required ?Service account ?Flag Cannot be delegated present ?Creation date ?Last login ?Password last set ?In Protected Users ?Distinguished name ?
5895368778SAYESNONONONONONO2022-12-23 11:47:26ZNot set2022-12-23 12:47:26ZNOCN=5895368778SA,OU=BDE,OU=Tier 2,DC=offsec,DC=nl
AdministratorYESYESYESNONONONO2022-12-23 09:34:28Z2023-04-04 17:42:52Z2022-12-23 12:40:26ZNOCN=Administrator,CN=Users,DC=offsec,DC=nl
ALI_SANCHEZYESNONONONONONO2022-12-23 11:46:50ZNot set2022-12-23 12:46:50ZNOCN=ALI_SANCHEZ,OU=AZR,OU=People,DC=offsec,DC=nl
BRANDON_LYNCHNONONONONONOYES2022-12-23 11:43:46ZNot set1601-01-01 01:00:00ZNOCN=BRANDON_LYNCH,OU=Testing,DC=offsec,DC=nl
crypt0rr-admYESNOYESNONONONO2023-01-03 11:41:44ZNot set2023-01-03 12:41:44ZNOCN=crypt0rr-adm,CN=Users,DC=offsec,DC=nl
DAMIAN_DUFFYYESNONONONONONO2022-12-23 11:47:17ZNot set2022-12-23 12:47:17ZNOCN=DAMIAN_DUFFY,OU=Devices,OU=FIN,OU=Stage,DC=offsec,DC=nl
ELSIE_BYRDYESNONONONONONO2022-12-23 11:52:02ZNot set2022-12-23 12:52:02ZNOCN=ELSIE_BYRD,OU=Unassociated,OU=People,DC=offsec,DC=nl
ERNIE_GUTHRIEYESNONONONONONO2022-12-23 11:51:33ZNot set2022-12-23 12:51:33ZNOCN=ERNIE_GUTHRIE,OU=OGC,OU=Stage,DC=offsec,DC=nl
EULA_KELLYYESNONONONONONO2022-12-23 11:51:34ZNot set2022-12-23 12:51:34ZNOCN=EULA_KELLY,OU=ServiceAccounts,OU=AWS,OU=Stage,DC=offsec,DC=nl
FRANCISCO_NICHOLSONYESNONONONONONO2022-12-23 11:48:26ZNot set2022-12-23 12:48:26ZNOCN=FRANCISCO_NICHOLSON,OU=OGC,OU=Tier 1,DC=offsec,DC=nl
GARTH_HARRINGTONYESNONONONONONO2022-12-23 11:46:51ZNot set2022-12-23 12:46:51ZNOCN=GARTH_HARRINGTON,OU=Groups,OU=ESM,OU=Tier 1,DC=offsec,DC=nl
GENA_GONZALESYESNONONONONONO2022-12-23 11:54:15ZNot set2022-12-23 12:54:15ZNOCN=GENA_GONZALES,OU=Groups,OU=AZR,OU=Stage,DC=offsec,DC=nl
JANELLE_KELLYYESNONONONONONO2022-12-23 11:50:27ZNot set2022-12-23 12:50:27ZNOCN=JANELLE_KELLY,OU=Groups,OU=BDE,OU=Tier 1,DC=offsec,DC=nl
JAYSON_AGUIRREYESNONONONONONO2022-12-23 11:53:58ZNot set2022-12-23 12:53:58ZNOCN=JAYSON_AGUIRRE,OU=Testing,DC=offsec,DC=nl
JEFFERY_BAXTERYESNONONONONONO2022-12-23 11:53:57ZNot set2022-12-23 12:53:57ZNOCN=JEFFERY_BAXTER,OU=AWS,OU=People,DC=offsec,DC=nl
LELA_FISHERYESNONONONONONO2022-12-23 11:51:01ZNot set2022-12-23 12:51:01ZNOCN=LELA_FISHER,OU=ServiceAccounts,OU=OGC,OU=Tier 1,DC=offsec,DC=nl
LUCY_BENTONYESNONONONOYESNO2022-12-23 11:54:22ZNot set2022-12-23 12:54:22ZNOCN=LUCY_BENTON,OU=Groups,OU=FIN,OU=Tier 1,DC=offsec,DC=nl
LYDIA_PIERCENONONONONONOYES2022-12-23 11:41:58ZNot set1601-01-01 01:00:00ZNOCN=LYDIA_PIERCE,OU=Test,OU=SEC,OU=Tier 2,DC=offsec,DC=nl
MARIANA_SCHWARTZYESNONONONONONO2022-12-23 11:49:11ZNot set2022-12-23 12:49:12ZNOCN=MARIANA_SCHWARTZ,OU=AWS,OU=People,DC=offsec,DC=nl
MAYNARD_MIDDLETONYESNONONONONONO2022-12-23 11:52:20ZNot set2022-12-23 12:52:20ZNOCN=MAYNARD_MIDDLETON,OU=ITS,OU=Stage,DC=offsec,DC=nl
MELANIE_BARLOWNONONONONONOYES2022-12-23 11:43:30ZNot set1601-01-01 01:00:00ZNOCN=MELANIE_BARLOW,OU=Groups,OU=AWS,OU=Stage,DC=offsec,DC=nl
MELISA_SHERMANYESNONONONONONO2022-12-23 11:47:20ZNot set2022-12-23 12:47:20ZNOCN=MELISA_SHERMAN,OU=Devices,OU=ESM,OU=Stage,DC=offsec,DC=nl
PAULINE_BEACHYESNONONONONONO2022-12-23 11:51:38ZNot set2022-12-23 12:51:38ZNOCN=PAULINE_BEACH,OU=Grouper-Groups,DC=offsec,DC=nl
QUINN_NASHYESNONONONONONO2022-12-23 11:57:10ZNot set2022-12-23 12:57:10ZNOCN=QUINN_NASH,OU=FSR,OU=People,DC=offsec,DC=nl
RICKY_MCDANIELYESNONONONONONO2022-12-23 11:46:56ZNot set2022-12-23 12:46:56ZNOCN=RICKY_MCDANIEL,OU=T1-Accounts,OU=Tier 1,OU=Admin,DC=offsec,DC=nl
ROSALYN_LANCASTERYESNONONONONONO2022-12-23 11:56:46ZNot set2022-12-23 12:56:46ZNOCN=ROSALYN_LANCASTER,OU=Groups,OU=GOO,OU=Tier 1,DC=offsec,DC=nl
SCOTTIE_PETERSENYESNONONONONONO2022-12-23 11:47:24ZNot set2022-12-23 12:47:24ZNOCN=SCOTTIE_PETERSEN,OU=FSR,OU=People,DC=offsec,DC=nl
TANNER_ALSTONNONONONONONOYES2022-12-23 11:44:10ZNot set1601-01-01 01:00:00ZNOCN=TANNER_ALSTON,OU=Testing,DC=offsec,DC=nl

Last Logon Distribution

This feature is reserved for customers who have purchased a license

Delegations

Each specific rights defined for Organizational Unit (OU) are listed below.

[272]
DistinguishedNameAccountRight
DC=offsecBUILTIN\Print OperatorsGenericAll, GenericWrite, WriteDacl, WriteOwner
DC=offsecOFFSEC\BE-martin199-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
DC=offsecOFFSEC\DA-petronilo-admingroup1GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
DC=offsecOFFSEC\Domain ControllersEXT_RIGHT_REPLICATION_GET_CHANGES_ALL
DC=offsecOFFSEC\GOOWWEBS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
DC=offsecOFFSEC\ITSWLPT1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
DC=offsecOFFSEC\JU-lad-admingroup1GenericAll, GenericWrite, WriteDacl, WriteOwner
DC=offsecOFFSEC\RA-100-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
DC=offsecOFFSEC\SH-mamiringa-admingroup1GenericAll, GenericWrite, WriteDacl, WriteOwner
DC=offsecOFFSEC\VA-azerty190-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner, GenericAll, GenericWrite, WriteDacl, WriteOwner
CN=RAS and IAS Servers Access Check,CN=SystemOFFSEC\RAS and IAS ServersGenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
CN=WMIPolicy,CN=SystemOFFSEC\Group Policy Creator OwnersGenericWrite, DSSelf, Write all prop
CN=SOM,CN=WMIPolicy,CN=SystemOFFSEC\Group Policy Creator OwnersGenericWrite, DSSelf, Write all prop
OU=.SecFrame.comOFFSEC\BDEWDBAS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=.SecFrame.comOFFSEC\DA-petronilo-admingroup1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Tier 0,OU=AdminOFFSEC\BDEWDBAS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Tier 0,OU=AdminOFFSEC\TO-nunogomes-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=T0-Accounts,OU=Tier 0,OU=AdminOFFSEC\BDEWWEBS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=T0-Accounts,OU=Tier 0,OU=AdminOFFSEC\HREWLPT1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=T0-Roles,OU=Tier 0,OU=AdminOFFSEC\YV-bim-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=Tier 1,OU=AdminOFFSEC\AZRWWKS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=T1-Accounts,OU=Tier 1,OU=AdminOFFSEC\CARMELLA_SPARKSGenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=T1-Accounts,OU=Tier 1,OU=AdminOFFSEC\OGCWWKS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=T1-Accounts,OU=Tier 1,OU=AdminOFFSEC\SECWAPPS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=T1-Devices,OU=Tier 1,OU=AdminOFFSEC\CHANDRA_GATESGenericAll, GenericWrite, WriteDacl, WriteOwner
OU=T1-Permissions,OU=Tier 1,OU=AdminOFFSEC\OGCWWEBS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=T1-Roles,OU=Tier 1,OU=AdminOFFSEC\FSRWWKS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=T1-Servers,OU=Tier 1,OU=AdminOFFSEC\BDEWDBAS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=T1-Servers,OU=Tier 1,OU=AdminOFFSEC\BDEWWEBS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=T1-Servers,OU=Tier 1,OU=AdminOFFSEC\DA-petronilo-admingroup1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=T1-Servers,OU=Tier 1,OU=AdminOFFSEC\MA-revillana-admingroup1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=T1-Servers,OU=Tier 1,OU=AdminOFFSEC\OGCWWEBS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=T2-Accounts,OU=Tier 2,OU=AdminOFFSEC\BDEWWKS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=T2-Accounts,OU=Tier 2,OU=AdminOFFSEC\CA-NaC-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=T2-Devices,OU=Tier 2,OU=AdminOFFSEC\BE-201-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=T2-Devices,OU=Tier 2,OU=AdminOFFSEC\ESMWWKS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=T2-Roles,OU=Tier 2,OU=AdminOFFSEC\SECWAPPS1000002$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=T2-Servers,OU=Tier 2,OU=AdminOFFSEC\RA-100-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=Grouper-GroupsOFFSEC\GOOWSECS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=AWS,OU=PeopleOFFSEC\RA-100-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=AZR,OU=PeopleOFFSEC\OGCWWEBS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=BDE,OU=PeopleOFFSEC\ITSWLPT1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=BDE,OU=PeopleOFFSEC\SECWWEBS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=ESM,OU=PeopleOFFSEC\FSRWAPPS1000002$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=ESM,OU=PeopleOFFSEC\LELA_LYONSGenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=FIN,OU=PeopleOFFSEC\2186787523SAGenericAll, GenericWrite, WriteDacl, WriteOwner
OU=FIN,OU=PeopleOFFSEC\CARMELLA_SPARKSGenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=FIN,OU=PeopleOFFSEC\FSRWAPPS1000002$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=HRE,OU=PeopleOFFSEC\BDEWWKS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=OGC,OU=PeopleOFFSEC\BDEWWEBS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=SEC,OU=PeopleOFFSEC\FINWVIR1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=SEC,OU=PeopleOFFSEC\JE-teamocozi-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=TST,OU=PeopleOFFSEC\BDEWDBAS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=TST,OU=PeopleOFFSEC\JE-teamocozi-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Unassociated,OU=PeopleOFFSEC\OGCWLPT1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=QuarantineOFFSEC\BDEWCTRX1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=QuarantineOFFSEC\BE-201-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=StageOFFSEC\BDEWDBAS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=AWS,OU=StageOFFSEC\JU-lad-admingroup1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=AWS,OU=StageOFFSEC\LELA_LYONSGenericAll, GenericWrite, WriteDacl, WriteOwner
OU=ServiceAccounts,OU=AWS,OU=StageOFFSEC\GOLDIE_ACOSTAGenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=AZR,OU=StageOFFSEC\AR-200-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=AZR,OU=StageOFFSEC\HREWLPT1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=AZR,OU=StageOFFSEC\LELA_LYONSGenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=AZR,OU=StageOFFSEC\BDEWWEBS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=BDE,OU=StageOFFSEC\GOOWSECS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=BDE,OU=StageOFFSEC\SECWWEBS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=BDE,OU=StageOFFSEC\TSTWLPT1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=BDE,OU=StageOFFSEC\DC02$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=BDE,OU=StageOFFSEC\ITSWDBAS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=BDE,OU=StageOFFSEC\BDEWWEBS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=BDE,OU=StageOFFSEC\FSRWWKS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=BDE,OU=StageOFFSEC\SECWWKS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=BDE,OU=StageOFFSEC\TR-24dejulio-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=ServiceAccounts,OU=BDE,OU=StageOFFSEC\MI-confianza-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Test,OU=BDE,OU=StageOFFSEC\BDEWDBAS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Test,OU=BDE,OU=StageOFFSEC\ITSWLPT1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Test,OU=BDE,OU=StageOFFSEC\JE-teamocozi-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Test,OU=BDE,OU=StageOFFSEC\MA-54coanas1-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=ESM,OU=StageOFFSEC\GOOWSECS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=ESM,OU=StageOFFSEC\YV-bim-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=ServiceAccounts,OU=ESM,OU=StageOFFSEC\SECWAPPS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=Test,OU=ESM,OU=StageOFFSEC\ESMWAPPS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=FIN,OU=StageOFFSEC\FINWVIR1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=FIN,OU=StageOFFSEC\FSRWAPPS1000002$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=Groups,OU=FIN,OU=StageOFFSEC\HREWLPT1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=ServiceAccounts,OU=FIN,OU=StageOFFSEC\FINWAPPS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=FSR,OU=StageOFFSEC\BDEWDBAS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=FSR,OU=StageOFFSEC\HREWVIR1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=FSR,OU=StageOFFSEC\JU-lad-admingroup1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=FSR,OU=StageOFFSEC\DC02$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=FSR,OU=StageOFFSEC\MA-revillana-admingroup1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=FSR,OU=StageOFFSEC\OGCWWKS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=ServiceAccounts,OU=FSR,OU=StageOFFSEC\TSTWLPT1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=GOO,OU=StageOFFSEC\ESMWAPPS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=GOO,OU=StageDomain UsersGenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=GOO,OU=StageOFFSEC\CARMELLA_SPARKSGenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=GOO,OU=StageOFFSEC\SECWWKS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=HRE,OU=StageOFFSEC\JE-con-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=HRE,OU=StageOFFSEC\BDEWWEBS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=HRE,OU=StageOFFSEC\FINWVIR1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=HRE,OU=StageOFFSEC\FINWWKS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Test,OU=HRE,OU=StageOFFSEC\CHANDRA_GATESGenericAll, GenericWrite, WriteDacl, WriteOwner
OU=ITS,OU=StageOFFSEC\JU-lad-admingroup1GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=Devices,OU=ITS,OU=StageOFFSEC\MI-confianza-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=ITS,OU=StageOFFSEC\MA-54coanas1-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Test,OU=ITS,OU=StageOFFSEC\ANGELIA_MANNGenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=OGC,OU=StageOFFSEC\DA-petronilo-admingroup1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=OGC,OU=StageOFFSEC\JE-teamocozi-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=OGC,OU=StageOFFSEC\FINWAPPS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=OGC,OU=StageOFFSEC\OGCWWEBS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=ServiceAccounts,OU=OGC,OU=StageOFFSEC\DA-petronilo-admingroup1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Test,OU=OGC,OU=StageOFFSEC\AWSWWKS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Test,OU=OGC,OU=StageOFFSEC\DA-BADGIRLCE-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=SEC,OU=StageOFFSEC\SECWAPPS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=SEC,OU=StageOFFSEC\AM-cuy-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=Devices,OU=SEC,OU=StageOFFSEC\GOOWSECS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=SEC,OU=StageOFFSEC\JE-teamocozi-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=SEC,OU=StageOFFSEC\MA-54coanas1-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=SEC,OU=StageOFFSEC\FSRWWKS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=ServiceAccounts,OU=SEC,OU=StageOFFSEC\ITSWLPT1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=TST,OU=StageOFFSEC\CA-NaC-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=TST,OU=StageOFFSEC\CA-sanjavier-admingroup1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=TST,OU=StageOFFSEC\HREWWEBS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=Devices,OU=TST,OU=StageOFFSEC\SECWAPPS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=Groups,OU=TST,OU=StageOFFSEC\FSRWWKS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Test,OU=TST,OU=StageOFFSEC\BDEWDBAS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Tier 1OFFSEC\LELA_LYONSGenericAll, GenericWrite, WriteDacl, WriteOwner
OU=AWS,OU=Tier 1OFFSEC\JE-con-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=Devices,OU=AWS,OU=Tier 1OFFSEC\BE-martin199-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=Groups,OU=AWS,OU=Tier 1OFFSEC\FINWAPPS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=ServiceAccounts,OU=AWS,OU=Tier 1OFFSEC\AR-200-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Test,OU=AWS,OU=Tier 1OFFSEC\2186787523SAGenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Test,OU=AWS,OU=Tier 1OFFSEC\ITSWLPT1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=AZR,OU=Tier 1OFFSEC\ESMWDBAS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=AZR,OU=Tier 1OFFSEC\SECWWEBS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=Groups,OU=AZR,OU=Tier 1OFFSEC\BDEWDBAS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=AZR,OU=Tier 1OFFSEC\ITSWLPT1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=ServiceAccounts,OU=AZR,OU=Tier 1OFFSEC\33-JIm-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=ServiceAccounts,OU=AZR,OU=Tier 1OFFSEC\BDEWCTRX1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Test,OU=AZR,OU=Tier 1OFFSEC\TSTWLPT1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=BDE,OU=Tier 1OFFSEC\TR-24dejulio-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=Devices,OU=BDE,OU=Tier 1OFFSEC\GOLDIE_ACOSTAGenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=Devices,OU=BDE,OU=Tier 1OFFSEC\OGCWWKS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=BDE,OU=Tier 1OFFSEC\FINWVIR1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=Test,OU=BDE,OU=Tier 1OFFSEC\AZRWDBAS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Test,OU=BDE,OU=Tier 1OFFSEC\OGCWWKS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=ESM,OU=Tier 1OFFSEC\BDEWDBAS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=Devices,OU=ESM,OU=Tier 1OFFSEC\HREWVIR1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=Devices,OU=ESM,OU=Tier 1OFFSEC\OGCWWKS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=ESM,OU=Tier 1OFFSEC\ANGELIA_MANNGenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=ESM,OU=Tier 1OFFSEC\CARMELLA_SPARKSGenericAll, GenericWrite, WriteDacl, WriteOwner
OU=ServiceAccounts,OU=ESM,OU=Tier 1OFFSEC\FINWWKS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=ServiceAccounts,OU=ESM,OU=Tier 1OFFSEC\OGCWLPT1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Test,OU=ESM,OU=Tier 1OFFSEC\ANGELIA_MANNGenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=FIN,OU=Tier 1OFFSEC\AM-cuy-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=FIN,OU=Tier 1OFFSEC\BE-ben-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=Devices,OU=FIN,OU=Tier 1OFFSEC\HREWLPT1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=FIN,OU=Tier 1OFFSEC\JE-con-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=Groups,OU=FIN,OU=Tier 1OFFSEC\AZRWWKS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=FIN,OU=Tier 1OFFSEC\MA-54coanas1-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Test,OU=FIN,OU=Tier 1OFFSEC\BE-ben-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=FSR,OU=Tier 1OFFSEC\GOOWWEBS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=FSR,OU=Tier 1OFFSEC\VA-azerty190-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=FSR,OU=Tier 1OFFSEC\ESMWDBAS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=FSR,OU=Tier 1OFFSEC\FINWVIR1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=ServiceAccounts,OU=FSR,OU=Tier 1OFFSEC\BDEWDBAS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=Test,OU=FSR,OU=Tier 1OFFSEC\ESMWAPPS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=GOO,OU=Tier 1OFFSEC\HREWVIR1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=GOO,OU=Tier 1OFFSEC\LELA_LYONSGenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=Groups,OU=GOO,OU=Tier 1Domain UsersGenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=GOO,OU=Tier 1OFFSEC\JE-con-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=ServiceAccounts,OU=GOO,OU=Tier 1OFFSEC\BDEWWKS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Test,OU=GOO,OU=Tier 1OFFSEC\DA-BADGIRLCE-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=HRE,OU=Tier 1OFFSEC\FINWAPPS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=HRE,OU=Tier 1OFFSEC\FINWWKS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=HRE,OU=Tier 1OFFSEC\OGCWWKS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=HRE,OU=Tier 1OFFSEC\SECWAPPS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=ServiceAccounts,OU=HRE,OU=Tier 1OFFSEC\AZRWWKS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=ServiceAccounts,OU=HRE,OU=Tier 1OFFSEC\DA-petronilo-admingroup1GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=ServiceAccounts,OU=HRE,OU=Tier 1OFFSEC\FSRWAPPS1000002$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Test,OU=HRE,OU=Tier 1OFFSEC\AZRWWKS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=ITS,OU=Tier 1OFFSEC\HREWVIR1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=ITS,OU=Tier 1OFFSEC\JU-lad-admingroup1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=ITS,OU=Tier 1OFFSEC\SECWAPPS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=ITS,OU=Tier 1OFFSEC\SECWWKS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=ITS,OU=Tier 1OFFSEC\HREWVIR1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=ServiceAccounts,OU=ITS,OU=Tier 1OFFSEC\ANGELIA_MANNGenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=Devices,OU=OGC,OU=Tier 1OFFSEC\HREWLPT1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=Devices,OU=OGC,OU=Tier 1OFFSEC\JE-teamocozi-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=Test,OU=OGC,OU=Tier 1OFFSEC\BE-ben-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Test,OU=OGC,OU=Tier 1OFFSEC\MA-revillana-admingroup1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=SEC,OU=Tier 1OFFSEC\GOOWSECS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=SEC,OU=Tier 1OFFSEC\LELA_LYONSGenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=SEC,OU=Tier 1OFFSEC\HREWWEBS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=ServiceAccounts,OU=SEC,OU=Tier 1OFFSEC\ITSWLPT1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=Test,OU=SEC,OU=Tier 1OFFSEC\MA-revillana-admingroup1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=TST,OU=Tier 1OFFSEC\AZRWWKS1000003$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=TST,OU=Tier 1OFFSEC\BDEWWEBS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=TST,OU=Tier 1OFFSEC\FINWWKS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=Groups,OU=TST,OU=Tier 1OFFSEC\GA-170-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Tier 2OFFSEC\BE-ben-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=Tier 2OFFSEC\MA-revillana-admingroup1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=AWS,OU=Tier 2OFFSEC\FSRWWKS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=AWS,OU=Tier 2OFFSEC\VA-azerty190-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=AWS,OU=Tier 2OFFSEC\FINWVIR1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=Groups,OU=AWS,OU=Tier 2OFFSEC\ITSWDBAS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=ServiceAccounts,OU=AWS,OU=Tier 2OFFSEC\FSRWAPPS1000002$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Test,OU=AWS,OU=Tier 2OFFSEC\CA-sanjavier-admingroup1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Test,OU=AWS,OU=Tier 2OFFSEC\SECWAPPS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Test,OU=AWS,OU=Tier 2OFFSEC\VA-azerty190-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=AZR,OU=Tier 2OFFSEC\ESMWWKS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=AZR,OU=Tier 2OFFSEC\ITSWLPT1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=Groups,OU=AZR,OU=Tier 2OFFSEC\ITSWLPT1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=AZR,OU=Tier 2OFFSEC\JU-lad-admingroup1GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=BDE,OU=Tier 2OFFSEC\SECWWEBS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=ESM,OU=Tier 2OFFSEC\GA-170-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=ESM,OU=Tier 2OFFSEC\HREWLPT1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=ESM,OU=Tier 2OFFSEC\LELA_LYONSGenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=ESM,OU=Tier 2OFFSEC\AZRWDBAS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=ESM,OU=Tier 2OFFSEC\HREWVIR1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=ServiceAccounts,OU=ESM,OU=Tier 2OFFSEC\DORIS_BRIDGESGenericAll, GenericWrite, WriteDacl, WriteOwner
OU=FIN,OU=Tier 2OFFSEC\ESMWWKS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=FIN,OU=Tier 2OFFSEC\FINWAPPS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=FIN,OU=Tier 2OFFSEC\BDEWDBAS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=FIN,OU=Tier 2OFFSEC\HREWLPT1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=Groups,OU=FIN,OU=Tier 2OFFSEC\BDEWCTRX1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=Groups,OU=FIN,OU=Tier 2OFFSEC\BE-201-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=FIN,OU=Tier 2OFFSEC\ESMWWKS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=Groups,OU=FIN,OU=Tier 2OFFSEC\LELA_LYONSGenericAll, GenericWrite, WriteDacl, WriteOwner
OU=ServiceAccounts,OU=FIN,OU=Tier 2OFFSEC\BDEWDBAS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=FSR,OU=Tier 2OFFSEC\OGCWWEBS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=ServiceAccounts,OU=FSR,OU=Tier 2OFFSEC\BDEWDBAS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Test,OU=FSR,OU=Tier 2OFFSEC\BDEWWKS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Test,OU=FSR,OU=Tier 2OFFSEC\VA-azerty190-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=GOO,OU=Tier 2OFFSEC\ESMWAPPS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=GOO,OU=Tier 2OFFSEC\DA-BADGIRLCE-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=GOO,OU=Tier 2OFFSEC\SH-mamiringa-admingroup1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=GOO,OU=Tier 2OFFSEC\BE-201-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=GOO,OU=Tier 2OFFSEC\FSRWAPPS1000002$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=GOO,OU=Tier 2OFFSEC\SECWAPPS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=GOO,OU=Tier 2OFFSEC\TSTWLPT1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=ServiceAccounts,OU=GOO,OU=Tier 2OFFSEC\AWSWWKS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=ServiceAccounts,OU=GOO,OU=Tier 2OFFSEC\DORIS_BRIDGESGenericAll, GenericWrite, WriteDacl, WriteOwner
OU=ServiceAccounts,OU=GOO,OU=Tier 2OFFSEC\SECWAPPS1000002$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=Test,OU=GOO,OU=Tier 2OFFSEC\FSRWWKS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=HRE,OU=Tier 2OFFSEC\DC02$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=ServiceAccounts,OU=HRE,OU=Tier 2OFFSEC\AZRWWKS1000003$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Test,OU=HRE,OU=Tier 2OFFSEC\BDEWWEBS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=ITS,OU=Tier 2OFFSEC\JE-con-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=ITS,OU=Tier 2OFFSEC\DC02$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=ITS,OU=Tier 2OFFSEC\FINWAPPS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=ITS,OU=Tier 2OFFSEC\33-JIm-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=ITS,OU=Tier 2OFFSEC\BDEWWEBS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=ITS,OU=Tier 2OFFSEC\HREWVIR1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=ITS,OU=Tier 2OFFSEC\SECWWKS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=ITS,OU=Tier 2OFFSEC\TO-nunogomes-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=ServiceAccounts,OU=ITS,OU=Tier 2OFFSEC\BDEWDBAS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=ServiceAccounts,OU=ITS,OU=Tier 2OFFSEC\MA-revillana-admingroup1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Test,OU=ITS,OU=Tier 2OFFSEC\HREWLPT1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=Devices,OU=OGC,OU=Tier 2OFFSEC\BDEWWEBS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=OGC,OU=Tier 2OFFSEC\OGCWWEBS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=Groups,OU=OGC,OU=Tier 2OFFSEC\RA-100-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=SEC,OU=Tier 2OFFSEC\BDEWWEBS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner, GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=SEC,OU=Tier 2OFFSEC\JE-con-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Groups,OU=SEC,OU=Tier 2OFFSEC\BDEWCTRX1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner, All extended right, DSSelf, Write all prop
OU=ServiceAccounts,OU=SEC,OU=Tier 2BUILTIN\Print OperatorsGenericAll, GenericWrite, WriteDacl, WriteOwner
OU=ServiceAccounts,OU=SEC,OU=Tier 2OFFSEC\BDEWDBAS1000001$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=ServiceAccounts,OU=SEC,OU=Tier 2OFFSEC\DA-BADGIRLCE-distlist1GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=ServiceAccounts,OU=SEC,OU=Tier 2OFFSEC\GOOWSECS1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=Devices,OU=TST,OU=Tier 2OFFSEC\HREWVIR1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner
OU=ServiceAccounts,OU=TST,OU=Tier 2OFFSEC\ITSWLPT1000000$GenericAll, GenericWrite, WriteDacl, WriteOwner

In particular for AD database access (DCSync, AADConnect, ...).

[1]
DistinguishedNameAccountRight
DC=offsecOFFSEC\Domain ControllersEXT_RIGHT_REPLICATION_GET_CHANGES_ALL

This section focuses on permissions issues that can be exploited to take control of the domain.
This is an advanced section that should be examined after having looked at the Admin Groups section.

Foreign domain involved

This analysis focuses on accounts found in control path and located in other domains.

No operative link with other domains has been found.

Indirect links

This part tries to summarize in a single table if major issues have been found.
Focus on finding critical objects such as the Everyone group then try to decrease the number of objects having indirect access.
The detail is displayed below.

Priority to remediate ?Critical Object Found ?Number of objects with Indirect ?Max number of indirect numbers ?Max ratio ?
CriticalYES382636650
HighYES380074900
MediumYES890286700
OtherYES183041500

Admin groups

If the report has been saved which the full details, each object can be zoomed with its full detail. If it is not the case, for privacy reasons, only general statistics are available.

Group or user account ?Priority ?Users member ?Computer member of the group ?Indirect control ?Unresolved members ?Links ?Detail ?
Account OperatorsHigh1 (Details)0722 including EVERYONE (Details)0NoneAnalysis
AdministratorCritical00NoneAnalysis
AdministratorsCritical10 (Details)0826 including EVERYONE (Details)0NoneAnalysis
Backup OperatorsHigh1 (Details)0749 including EVERYONE (Details)0NoneAnalysis
Certificate OperatorsMedium1 (Details)0867 including EVERYONE (Details)0NoneAnalysis
Certificate PublishersOther2 (Details)0830 including EVERYONE (Details)0NoneAnalysis
Dns AdminsMedium3 (Details)0712 including EVERYONE (Details)0NoneAnalysis
Domain AdministratorsCritical9 (Details)0741 including EVERYONE (Details)0NoneAnalysis
Enterprise AdministratorsCritical1 (Details)000NoneAnalysis
Enterprise Key AdministratorsMedium0000NoneAnalysis
Key AdministratorsMedium4 (Details)0867 including EVERYONE (Details)0NoneAnalysis
Print OperatorsMedium2 (Details)0813 including EVERYONE (Details)0NoneAnalysis
ReplicatorMedium2 (Details)0853 including EVERYONE (Details)0NoneAnalysis
Schema AdministratorsCritical1 (Details)000NoneAnalysis
Server OperatorsHigh3 (Details)0800 including EVERYONE (Details)0NoneAnalysis

Critical Infrastructure

If the report has been saved which the full details, each object can be zoomed with its full detail. If it is not the case, for privacy reasons, only general statistics are available.

Group or user account ?Priority ?Users member ?Computer member of the group ?Indirect control ?Unresolved members ?Links ?Detail ?
Builtin OUMedium00NoneAnalysis
Computers containerMedium00NoneAnalysis
Domain ControllersCritical2 (Details)2 (Details)733 including EVERYONE (Details)0NoneAnalysis
Domain RootMedium771 including EVERYONE (Details)0NoneAnalysis
Enterprise Read Only Domain ControllersOther0000NoneAnalysis
Group Policy Creator OwnersMedium6 (Details)0902 including EVERYONE (Details)0NoneAnalysis
Krbtgt accountMedium00NoneAnalysis
Read Only Domain ControllersMedium2 (Details)0833 including EVERYONE (Details)0NoneAnalysis
Users containerMedium00NoneAnalysis

This section focuses on the relations that this domain has with other domains

Discovered Domains

This part displays the direct links that this domain has with other domains.

Trust PartnerTypeAttributDirection ?SID Filtering active ?TGT Delegation ?Creation ?Is Active ? ?Algorithm ?

Reachable Domains

These are the domains that PingCastle was able to detect but which is not releated to direct trusts. It may be children of a forest or bastions.

Reachable domainDiscovered usingNetbiosCreation date
PKI

Certificates

This detects trusted certificate which can be used in man in the middle attacks or which can issue smart card logon certificates

Number of trusted certificates: 0

[0]
SourceStoreSubjectIssuerNotBeforeNotAfterModule sizeSignature AlgSC Logon

Azure AD Connect settings

Azure AD Connect help maintaining a synchronization between the Active Directory and Azure AD. Azure AD Connect servers should be considered as Tiers0 as they usually have the right to read of the hashes of the user passwords.

Identifier ?Computer ?Tenant ?IsEnabled ?Created ?LastLogon ?PwdLastSet ?Computer object found ?

WSUS settings

WSUS settings allow workstations and servers located on the intranet to be updated. The reference documentation is here. Here are the settings found in GPO.

Policy NameWSUS Server ?UseWUServer ?ElevateNonAdmins ?AUOptions ?NoAutoUpdate ?NoAutoRebootWithLoggedOnUsers ?

Exchange settings

Echange is the mail server of Microsoft. Because it is deeply integrated into the Active Directory, it is a component to be monitored

PingCastle is checking objects of type msExchExchangeServer and the schema to provide the information below.

NameIn service dateVersionProxy

SCCM settings

SCCM or its more recent name Microsoft Endpoint Manager is the Microsoft tool to manage the workstations and servers. It is used typically to deploy packages.

PingCastle is checking objects of type mSSMSManagementPoint and the schema to provide the information below.

NameVersionClient operational versionAAD TenantIDAAD TenantName

Service Connection Points

Service Connection Points are a configuration stored in the AD to expose services to all computers.

Service ?Class ?DNS ?Binding Info ?DN ?

Replacement of RC4 by AES in kerberos

This section checks for know pain points in AES activation and RC4 removal for kerberos

This feature is reserved for customers who have purchased a license

This section focuses on security checks specific to the Active Directory environment.

Backup

The program checks the last date of the AD backup. This date is computed using the replication metadata of the attribute dsaSignature (reference).

Last backup date: 2022-12-23 15:04:22Z

LAPS

LAPS is used to have a unique local administrator password on all workstations / servers of the domain. Then this password is changed at a fixed interval. The risk is when a local administrator hash is retrieved and used on other workstation in a pass-the-hash attack. Please note that the LAPS schema is installed on the forest and as a consequence the installation date can be before the domain creation date.

Mitigation: having a process when a new workstation is created or install LAPS and apply it through a GPO

LAPS installation date: Never

Windows Event Forwarding (WEF)

Windows Event Forwarding is a native mechanism used to collect logs on all workstations / servers of the domain. Microsoft recommends to Use Windows Event Forwarding to help with intrusion detection Here is the list of servers configured for WEF found in GPO

Number of WEF configuration found: 0

krbtgt (Used for Golden ticket attacks)

The account password for the krbtgt account should be rotated twice yearly at a minimum. More frequent password rotations are recommended, with 40 days the current recommendation by ANSSI. Additional rotations based on external events, such as departure of an employee who had privileged network access, are also strongly recommended.

You can perform this action using this script

You can use the version gathered using replication metadata from two reports to guess the frequency of the password change or if the two consecutive resets has been done. Version starts at 1.

Kerberos password last changed: 2022-12-23 10:37:26Z version: 2

AdminSDHolder (detect temporary elevated accounts)

This control detects accounts which are former 'unofficial' admins. Indeed when an account belongs to a privileged group, the attribute admincount is set. If the attribute is set without being an official member, this is suspicious. To suppress this warning, the attribute admincount of these accounts should be removed after review.

Number of accounts to review: 0

Unix Passwords

This control detects if one of the attributes userPassword or unixUserPassword has been set on accounts. Indeed, these attributes are designed to store encrypted secrets for unix (or mainframe) interconnection. However in the large majority, interconnected systems are poorly designed and the user password is stored in these attributes in clear text or poorly encrypted. The userPassword attribute is also used in classic LDAP systems to change the user password by setting its value. But, with Active Directory, it is considered by default as a normal attribute and doesn't trigger a password but shows instead the password in clear text.

Number of accounts to review: 0

Java code reference

This control detects if one of the attributes javaCodebase, javaFactory or javaClassname has been set on accounts. Indeed, these attributes are designed to add custom code to AD object when running java code. However it can be abused to run code on servers having the flag com.sun.jndi.ldap.object.trustURLCodebase set to true. This is a vulnerability similar to the log4shell vulnerability.

Java Schema extension: Not Found

No active user account found with Java code

Logon scripts

You can check here backdoors or typo error in the scriptPath attribute

Script NameCount
None2492

Advanced

This section display advanced information, if any has been found

Password policies

Note: PSO (Password Settings Objects) will be visible only if the user which collected the information has the permission to view it.
PSO shown in the report will be prefixed by "PSO:"

Policy NameComplexityMax Password AgeMin Password AgeMin Password LengthPassword HistoryReversible EncryptionLockout ThresholdLockout DurationReset account counter locker after
Default Domain Policy ?True42 day(s)1 day(s)724False0Not SetNot Set

Screensaver policies

This is the settings related to screensavers stored in Group Policies. Each non compliant setting is written in red.

Policy NameScreensaver enforcedPassword requestStart after (seconds)Grace Period (seconds)
GPO

This section focuses on security settings stored in the Active Directory technical security policies.

Obfuscated Passwords

The password in GPO are obfuscated, not encrypted. Consider any passwords listed here as compromised and change them immediately.

Restricted Groups

Giving local group membership in a GPO is a way to become administrator.
The local admin of a domain controller can become domain administrator instantly.

Security settings

A GPO can be used to deploy security settings to workstations.
The best practice out of the default security baseline is reported in green.
The following settings in red are unsual and may need to be reviewed.
Each setting is accompagnied which its value and a link to the GPO explanation.

You will find below the checks where no occurences have been found

Policy NameSettingValue

Here are the security checks that have been check by PingCastle and where no applicable GPO have been found.

Audit settings

Audit settings allow the system to generate logs which are useful to detect intrusions. Here are the settings found in GPO.

Simple audit events are described here and Advanced audit events are described here

You can get a list of all audit settings with the command line: auditpol.exe /get /category:* (source)

Simple audit settings are located in: Computer Configuration / Policies / Windows Settings / Security Settings / Local Policies / Audit Policy. Simple audit settings are named [Simple Audit].

Advanced audit settings are located in: Computer Configuration / Policies / Windows Settings / Security Settings / Advanced Audit Policy Configuration. There category is displayed below.

Policy NameCategorySettingValue

Privileges

Giving privileges in a GPO is a way to become administrator without being part of a group.
For example, SeTcbPriviledge give the right to act as SYSTEM, which has more privileges than the administrator account.

GPO NamePrivilegeMembers
Default Domain Controllers Policy ?SeAssignPrimaryTokenPrivilegeNT AUTHORITY\NETWORK SERVICE
Default Domain Controllers Policy ?SeAssignPrimaryTokenPrivilegeNT AUTHORITY\LOCAL SERVICE
Default Domain Controllers Policy ?SeBackupPrivilegeBUILTIN\Server Operators
Default Domain Controllers Policy ?SeBackupPrivilegeBUILTIN\Backup Operators
Default Domain Controllers Policy ?SeBackupPrivilegeAdministrators
Default Domain Controllers Policy ?SeDebugPrivilegeAdministrators
Default Domain Controllers Policy ?SeLoadDriverPrivilegeBUILTIN\Print Operators
Default Domain Controllers Policy ?SeLoadDriverPrivilegeAdministrators
Default Domain Controllers Policy ?SeMachineAccountPrivilegeAuthenticated Users
Default Domain Controllers Policy ?SeRestorePrivilegeBUILTIN\Server Operators
Default Domain Controllers Policy ?SeRestorePrivilegeBUILTIN\Backup Operators
Default Domain Controllers Policy ?SeRestorePrivilegeAdministrators
Default Domain Controllers Policy ?SeSecurityPrivilegeAdministrators
Default Domain Controllers Policy ?SeTakeOwnershipPrivilegeAdministrators
Default Domain Controllers Policy ?SeEnableDelegationPrivilegeAdministrators

Login

Login authorization and restriction can be set by GPO. Indeed, by default, everyone is allowed to login on every computer except domain controllers. Defining login restriction is a way to have different isolated tiers. Here are the settings found in GPO.

GPO NamePrivilegeMembers
Default Domain Controllers Policy ?Log on as a batch job ?BUILTIN\Performance Log Users
Default Domain Controllers Policy ?Log on as a batch job ?BUILTIN\Backup Operators
Default Domain Controllers Policy ?Log on as a batch job ?Administrators
Default Domain Controllers Policy ?Allow log on locally ?NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
Default Domain Controllers Policy ?Allow log on locally ?BUILTIN\Print Operators
Default Domain Controllers Policy ?Allow log on locally ?BUILTIN\Server Operators
Default Domain Controllers Policy ?Allow log on locally ?BUILTIN\Account Operators
Default Domain Controllers Policy ?Allow log on locally ?BUILTIN\Backup Operators
Default Domain Controllers Policy ?Allow log on locally ?Administrators
Default Domain Controllers Policy ?Access this computer from the network ?BUILTIN\Pre-Windows 2000 Compatible Access
Default Domain Controllers Policy ?Access this computer from the network ?NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
Default Domain Controllers Policy ?Access this computer from the network ?Authenticated Users
Default Domain Controllers Policy ?Access this computer from the network ?Administrators
Default Domain Controllers Policy ?Access this computer from the network ?Everyone

GPO Login script

A GPO login script is a way to force the execution of data on behalf of users. Only enabled users are analyzed.

GPO Deployed Files

A GPO can be used to deploy applications or copy files. These files may be controlled by a third party to control the execution of local programs.